daveschaefer
commented
10 years ago The smoothest way to upgrade existing notary keys may be to extract notary info into an XML file, as mentioned here - https://github.com/danwent/Perspectives/issues/97 . The notary could then use multiple keys in an overlapping time period, to give clients time to switch to the new one before removing the old.
SSL Labs' "TLS Deployment Best Practises" doc suggests using a minimum of 2048 bit RSA keys, or ECDSA keys for longer lengths. We should increase notary key sizes.
This will require testing to see if takes noticeably longer to calculate data for sites. We could always implement a background script that calculates site XML after a scan has completed, similar to server version 2.