Closed
Bug 1015771
Opened 10 years ago
Closed 8 years ago
Dell: issuing 1024 bit keys
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kurt, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: BR Compliance)
I have several recent certificate from Dell issuing 1024 bit certificates. The trust path is: CN = GTE CyberTrust Global Root, OU = "GTE CyberTrust Solutions, Inc.", O = GTE Corporation, C = US CN = Dell Inc. Enterprise CA, O = Dell Inc. CN = Dell Inc. Enterprise Issuing CA1, O = Dell Inc.
Assignee | ||
Comment 1•10 years ago
|
||
Steven, please respond in this bug. Thanks. Note: Bug #881553 is for removing some of the 1024-bit root certs (such as this one) from NSS. This bug was postponed in order to complete compatibility testing first. The bug is currently targeting Firefox 32.
Comment 2•10 years ago
|
||
I have sent a notice to the PKI team at Dell. Guidance regarding end of use of 1024-bit keys has been provided on multiple occasions to all subordinates over the course of the past several years. Subordinates are required to attest to us that they comply with specific browser policy statements from time to time. We have required a scan of all issued and valid certificates using 1024-bit keys with the intent to require replacement and revocation. Dell's issuers use 2048-bit keys. Dell are transitioning to a technically constrained subordinate.
Assignee | ||
Updated•10 years ago
|
Assignee: kwilson → steve.medin
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: BR Compliance
Assignee | ||
Updated•10 years ago
|
Blocks: BR-Compliance
Comment 3•10 years ago
|
||
Hi Steve: what's the latest here? Have all the 1024-bit certs issued by Dell now been replaced and revoked? Gerv
Comment 4•10 years ago
|
||
Hi Gerv, I'm actively consulting with Dell on this matter. The scope of impact is large and requires much time and effort to solve. We're working on a plan to end this compliance violation as rapidly as possible. We will report that plan when its details are settled. We have since placed Dell's SSL issuance process into our audited and compliant managed service with a 2048-bit key size minimum among numerous other technical constraints. The CA above is no longer issuing non-compliant certificates. All remaining certificates are now issued under a subordinate that contains technical constraints as required for code signing and email protection usages. These constrained subordinates chain to the Baltimore CyberTrust Root. These were actions taken to avoid the impact of removal of the GTE CyberTrust Global Root. Further information will be provided as we track this to a close.
Assignee | ||
Updated•8 years ago
|
Assignee: steve.medin → kwilson
Assignee | ||
Comment 5•8 years ago
|
||
Ben and Jeremy, please advise/comment on this bug. Note that the "GTE CyberTrust Global Root" cert has been removed from NSS. But hopefully Dell has been consulted about upgrading their certs.
Comment 6•8 years ago
|
||
Please close this bug. Dell indicates that they no longer have any 1024-bit RSA certificates. Thanks, Ben
Assignee | ||
Updated•8 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•1 year ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•