While I am pleased to see a move to RSA2048, use of Elliptic Curve keys and use of relatively short term certificates for user and issuing CA. I am howvere disappointed that you still have:
- SHA1 as your hashing algorithm in the subject certificate; - SHA1 in the entire chain within your issuing CA and the GeoTrust root and; - the fact that you have not moved your CA to be signed by a root that is of a greater cryptographic strength, such as RSA 3084 or RSA 4096.
Hopefully with your next update you can look at strengthening your posture that extra step.
3 comments :
Did you shoot video of the HSM destruction? Please put it on YouTube
But your certificate for "CN = mail.google.com" on https://gmail.com has certificate with 256 bits key.
Why so?
While I am pleased to see a move to RSA2048, use of Elliptic Curve keys and use of relatively short term certificates for user and issuing CA. I am howvere disappointed that you still have:
- SHA1 as your hashing algorithm in the subject certificate;
- SHA1 in the entire chain within your issuing CA and the GeoTrust root and;
- the fact that you have not moved your CA to be signed by a root that is of a greater cryptographic strength, such as RSA 3084 or RSA 4096.
Hopefully with your next update you can look at strengthening your posture that extra step.
Post a Comment