ECCE: Issuing 1024 bit certificates

RESOLVED FIXED

Status

RESOLVED FIXED
5 years ago
2 years ago

People

(Reporter: kurt, Assigned: steve.medin, Mentored)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: BR Compliance)

(Reporter)

Description

5 years ago
Hi,

I found 7 certificates issued last week with a 1024 bit RSA key.  The trust path is:
CN = GTE CyberTrust Global Root, OU = "GTE CyberTrust Solutions, Inc.", O = GTE Corporation, C = US
CN = ECRaizEstado, O = SCEE, C = PT
CN = ECCE, OU = ECEstado, O = SCEE, C = PT


Kurt

Comment 1

5 years ago
Steven, 

I'm concerned that: 

1) There are still 1024-bit certs being issued

2) There are still certs being issued in the "GTE CyberTrust Global Root" hierarchy, but that root is on track to be removed in Firefox 32 (bug #936304).
Mentor: steve.medin

Updated

5 years ago
Blocks: 1029147

Updated

5 years ago
Assignee: kwilson → steve.medin
Whiteboard: BR Compliance
(Assignee)

Comment 2

5 years ago
Customers who continue to use the GTE CyberTrust Global Root do not require trust in Firefox.  While the root will remain under WebTrust audit, it will transition to treatment as a private community PKI.  Customers are entitled to issue certificates under the GTE root that suit the abilities of their environment.  In some cases, this may involve hard-coded trust chains, firmware embedments that are fielded and incapable of remote update, or in rare cases, dependency on 1024-bit support.

Given the extension of trust of the GTE root to September, we will contact SCEE and respond further regarding this matter.

Comment 3

5 years ago
Re comment #2:  I infer that the GTE CyberTrust Global Root might thus be removed from NSS.  Is this correct?
(Assignee)

Comment 4

5 years ago
Correct David, but in FF32 since mozilla::pkix was slotted first, so we're contacting the PKI owner since the offense extends to September unless corrected now.
(Assignee)

Comment 5

5 years ago
The ECCE CA currently forbids issuance of 1024-bit keys.  The PKI operator, Multicert, reports that 8 SSL certificates exist with key size violations.  All 8 subject entities have been contacted to replace their certificates immediately and we will receive progress reports in the days to come.

An action call for the replacement of the intermediate SCEE CA to the version signed under the Baltimore CyberTrust Root has been communicated to all end entities reliant on this PKI.  Multicert serve the organization CEGER ((www.ceger.gov.pt) who are responsible for the use of this PKI in Portuguese e-government.
(Reporter)

Comment 6

5 years ago
I see a 40 certificates that are within it's validity period that have a 1024 bit RSA key.  None of them are currently revoked.
Removal of the GTE CyberTrust root is bug 1047011.

Gerv

Comment 8

4 years ago
Some still unfixed sites:
https://www.dgs.pt/
http://www.emfa.pt/ (but only a redirect, and will expire soon anyway)
https://www.gov-madeira.pt/
https://visitportugal.com

Comment 9

4 years ago
> but only a redirect
Not true, actually, I found a login form using https:
https://www.emfa.pt/www/faponline/aceder
Of course, it will still expire soon anyway.

Comment 10

2 years ago
Please close this bug as having been resolved by removal of the GTE Cybertrust Root from NSS and the  replacement of the  certificates in question with 2048-bit RSA.

Updated

2 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED

Updated

2 years ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.