[cabfpub] CISCO issue

Adam Langley agl at google.com
Fri Jan 24 16:12:08 UTC 2014


On Fri, Jan 24, 2014 at 2:49 AM, <i-barreira at izenpe.net> wrote:

> These are kind of accelerators are used to increase the performance of the
> SSL connections.
>
> The problem so far is that these products don´t support RSA 4096 bits
> because of performance reasons according to CISCO answers and our CAs key
> length are of 4K, the good news is that in the latest software version
> available (A5-3.0 in January 2014) support TLS 1.1 and TLS 1.2.
>

SSL terminator devices often have key length restrictions on the size of
the leaf key - i.e. the key that they are performing decryptions and
signatures with. However, the size of the issuing CA's key isn't a factor:
that's just bytes in the certificate chain that it sends.

Are you sure that there just hasn't been a miscommunication? I suspect that
you'll find that a 2048-bit certificate signed with a 4096-bit certificate
will be just fine.


Cheers

AGL
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140124/03cae8b6/attachment-0003.html>


More information about the Public mailing list