Closed
Bug 1015772
Opened 10 years ago
Closed 9 years ago
Fuji Xerox: Issuing 1024 bit certificates
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kurt, Assigned: h-kamo)
References
Details
(Whiteboard: BR Compliance)
I have a recent example of Fuji Xerox issuing 1024 bit key certificates. The trust path is: OU = Security Communication RootCA1, O = SECOM Trust.net, C = JP CN = Fuji Xerox Certification Authority, O = Fuji Xerox, C = JP CN = Fuji Xerox Endorsement CA, O = Fuji Xerox, C = JP
Comment 1•10 years ago
|
||
Kamo-san, Please look into this bug. As per the Baseline Requirements and Mozilla policy, CAs should not be issuing certificates with RSA key size smaller than 2048 bits.
Assignee | ||
Comment 2•10 years ago
|
||
Kathleen-san, Thank you for the information. The person who is in charge of Fuji Xerox is away this week. Please let me check him as soon as come back next week.
Updated•10 years ago
|
Assignee: kwilson → h-kamo
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Whiteboard: BR Compliance
Updated•10 years ago
|
Blocks: BR-Compliance
Assignee | ||
Comment 3•10 years ago
|
||
Kathleen-san, Fuji Xerox is now issuing SHA2 2048bit EE certificates and no more issuing 1024bit EE certificates. The all 1024bit EE certificates already have been issued will be expired by December 2014. The environments used the 1024bit EE certificates do not contain known security risks to Relying Parties and is difficult (impossible) to replace without substantial economic outlay.
Reporter | ||
Comment 4•10 years ago
|
||
(In reply to Hisashi Kamo from comment #3) > The environments used the 1024bit EE certificates do not contain known > security risks to Relying Parties > and is difficult (impossible) to replace without substantial economic outlay. Can you please clarify why: - It's impossible to replace? - Why Relying Parties are not affected by this?
Assignee | ||
Comment 5•10 years ago
|
||
Kurt-san, - It's impossible to replace? The certificates embedded in the devices cannot be replaced. No way to replace them for on-line base and huge expense for on-site assignment. - Why Relying Parties are not affected by this? Because it is limited access from the devices, there is no influence on the browser venders.
Reporter | ||
Comment 6•10 years ago
|
||
So I still found 4 1024 bit certificates issued in November 2014 by Fuji Xerox. They expire in November 2016. This conflicts with what was previously said.
Comment 7•10 years ago
|
||
Well, 1024-bit end entity certificates are much less of a threat than 1024-bit CA roots. Are these certificates wildcard or limited to specific domain names?
Assignee | ||
Comment 8•9 years ago
|
||
I will check with our customers. We are now in winter vacation, thus please let us have sometime to response.
Assignee | ||
Comment 9•9 years ago
|
||
We checked and found that there are 16 1024bit certificates including 4 certificates on your comment#6, and now examining correspondence.
Assignee | ||
Comment 10•9 years ago
|
||
I apologize for delay. Let us update about the current status. We talked with the customer and found that they can figure out by the beginning of April. Actually, 8 of them were already replaced and replacement for all 1024bit certificates will be finished by April 10.
Assignee | ||
Comment 11•9 years ago
|
||
The remaining one certificate, the customer is now investigating the countermeasure and the target to be resolved is end of July.
Assignee | ||
Comment 12•9 years ago
|
||
This is finished yesterday. The remaining one certificate was replaced with SHA-2 RSA2048bit certificate.
Updated•9 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•