As early as 2007, prominent cryptographers have been warning about the advancing ability to factor large numbers and the corresponding loss in strength of RSA keys in the size most commonly used today, 1024 bits (1, 2). By 2010, Elaine Barker and Allen Roginsky from the US National Institute of Standards and Technology (NIST) requested comments on their document titled “Recommendation for the Transitioning of Cryptographic Algorithms and Key Lengths” (3).
In that document, they argued that for Digital Signature Generation and Verification (the primary operations performed in creating and verifying an SSL certificate), 1024-bit RSA keys were “Acceptable through 2010” but “Deprecated from 2011 through 2013”. They concluded that “Based on the latest understanding of the state-of-the-art for breaking the cryptographic algorithms, given particular key lengths, the transition to the 112-bit security strength (equivalent to a 2048-bit RSA key) shall be accomplished by 2014, except where specifically indicated.”
While NIST’s recommendations were created for Federal agencies, NIST is considered a thought leader in this space, and their actions are seriously followed by commercial companies. The Certificate Authority/Browser Forum, which created mandatory guidelines for Extended Validation (EV) certificates, has mandated a minimum key size of 2048-bits for such certificates since January 1, 2011. Browser vendors have positioned themselves on the front line for enforcement of minimum security standards, and they have largely embraced NIST’s recommendations. For example, Mozilla (creator of the Firefox browser) plans to reject certificates with 1024-bit RSA keys according to NIST’s timelines (5). Microsoft is also applying key size restrictions on Certificate Authorities (6, 7). The Opera browser already enforces a minimum key size of 1000 bits, and plans to increase it in the future (8). If a Certificate Authority like Symantec were to defy NIST’s guidelines and sign certificates with smaller key sizes for a customer, that customer would find that no major browser would work with such a certificate.