Closed Bug 1015772 Opened 10 years ago Closed 9 years ago

Fuji Xerox: Issuing 1024 bit certificates

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kurt, Assigned: h-kamo)

References

Details

(Whiteboard: BR Compliance) 

I have a recent example of Fuji Xerox issuing 1024 bit key certificates.  The trust path is:
OU = Security Communication RootCA1, O = SECOM Trust.net, C = JP
CN = Fuji Xerox Certification Authority, O = Fuji Xerox, C = JP
CN = Fuji Xerox Endorsement CA, O = Fuji Xerox, C = JP
Kamo-san, Please look into this bug. As per the Baseline Requirements and Mozilla policy, CAs should not be issuing certificates with RSA key size smaller than 2048 bits.
Kathleen-san, Thank you for the information. The person who is in charge of Fuji Xerox is away this week. Please let me check him as soon as come back next week.
Assignee: kwilson → h-kamo
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: BR Compliance
Blocks: BR-Compliance
Kathleen-san,
Fuji Xerox is now issuing SHA2 2048bit EE certificates and no more issuing 1024bit EE certificates.
The all 1024bit EE certificates already have been issued will be expired by December 2014.

The environments used the 1024bit EE certificates do not contain known security risks to Relying Parties
and is difficult (impossible) to replace without substantial economic outlay.
(In reply to Hisashi Kamo from comment #3)
> The environments used the 1024bit EE certificates do not contain known
> security risks to Relying Parties
> and is difficult (impossible) to replace without substantial economic outlay.

Can you please clarify why:
- It's impossible to replace?
- Why Relying Parties are not affected by this?
Kurt-san,
- It's impossible to replace?
The certificates embedded in the devices cannot be replaced.
No way to replace them for on-line base and huge expense for on-site assignment.
- Why Relying Parties are not affected by this? 
Because it is limited access from the devices, there is no influence on the browser venders.
So I still found 4 1024 bit certificates issued in November 2014 by Fuji Xerox.  They expire in November 2016.  This conflicts with what was previously said.
Well, 1024-bit end entity certificates are much less of a threat than 1024-bit CA roots. Are these certificates wildcard or limited to specific domain names?
I will check with our customers.
We are now in winter vacation, thus please let us have sometime to response.
We checked and found that there are 16 1024bit certificates including 4 certificates on your comment#6, and now examining correspondence.
I apologize for delay.

Let us update about the current status.
We talked with the customer and found that they can figure out by the beginning of April.
Actually, 8 of them were already replaced and replacement for all 1024bit certificates will be finished by April 10.
The remaining one certificate, the customer is now investigating the countermeasure and the target to be resolved is end of July.
This is finished yesterday.
The remaining one certificate was replaced with SHA-2 RSA2048bit certificate.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.