In the last few months, I have been reading blog posts (e.g., Google and Evernote) about certificate subscribers changing their keys from 1024-bit to 2048-bit RSA. I suppose congratulations may be in order. But, on the other hand, what’s been the delay?
As we move forward, we will see that CAs will no longer offer certificates with keys less than 2048 bits. There are some 1024-bit key certificates that were issued and expire after 2013. In these cases, some CAs will force the subscribers to re-issue their certificates with 2048-bit keys, while others will let the certificates expire and renew at 2048-bit keys. It is arguable that either approach is legitimate as there does not appear to be an immediate risk to 1024-bit keys.
So, I would like to congratulate the EV SSL subscribers who, back in 2010, actually took the initiative to move to 2048-bit keys. I also would like to congratulate the small website operators that moved to 2048-bit keys in 2011 and 2012.
You know what though? I still wonder why we're hearing from large companies — ahem, Google and the like — with their announcements of change, especially since the deadline is so close. Shouldn't this have been an initiative they drove from the beginning as an industry leader? Seems this should have just happened two or three years ago — without blogs, news releases and public fanfare.