Closed Bug 1026741 Opened 11 years ago Closed 8 years ago

ECCE: Issuing 1024 bit certificates

Categories

(CA Program :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kurt, Assigned: steve.medin, Mentored)

References

Details

(Whiteboard: BR Compliance)

Hi, I found 7 certificates issued last week with a 1024 bit RSA key. The trust path is: CN = GTE CyberTrust Global Root, OU = "GTE CyberTrust Solutions, Inc.", O = GTE Corporation, C = US CN = ECRaizEstado, O = SCEE, C = PT CN = ECCE, OU = ECEstado, O = SCEE, C = PT Kurt
Steven, I'm concerned that: 1) There are still 1024-bit certs being issued 2) There are still certs being issued in the "GTE CyberTrust Global Root" hierarchy, but that root is on track to be removed in Firefox 32 (bug #936304).
Mentor: steve.medin
Assignee: kwilson → steve.medin
Whiteboard: BR Compliance
Customers who continue to use the GTE CyberTrust Global Root do not require trust in Firefox. While the root will remain under WebTrust audit, it will transition to treatment as a private community PKI. Customers are entitled to issue certificates under the GTE root that suit the abilities of their environment. In some cases, this may involve hard-coded trust chains, firmware embedments that are fielded and incapable of remote update, or in rare cases, dependency on 1024-bit support. Given the extension of trust of the GTE root to September, we will contact SCEE and respond further regarding this matter.
Re comment #2: I infer that the GTE CyberTrust Global Root might thus be removed from NSS. Is this correct?
Correct David, but in FF32 since mozilla::pkix was slotted first, so we're contacting the PKI owner since the offense extends to September unless corrected now.
The ECCE CA currently forbids issuance of 1024-bit keys. The PKI operator, Multicert, reports that 8 SSL certificates exist with key size violations. All 8 subject entities have been contacted to replace their certificates immediately and we will receive progress reports in the days to come. An action call for the replacement of the intermediate SCEE CA to the version signed under the Baltimore CyberTrust Root has been communicated to all end entities reliant on this PKI. Multicert serve the organization CEGER ((www.ceger.gov.pt) who are responsible for the use of this PKI in Portuguese e-government.
I see a 40 certificates that are within it's validity period that have a 1024 bit RSA key. None of them are currently revoked.
Removal of the GTE CyberTrust root is bug 1047011. Gerv
Some still unfixed sites: https://www.dgs.pt/ http://www.emfa.pt/ (but only a redirect, and will expire soon anyway) https://www.gov-madeira.pt/ https://visitportugal.com
> but only a redirect Not true, actually, I found a login form using https: https://www.emfa.pt/www/faponline/aceder Of course, it will still expire soon anyway.
Please close this bug as having been resolved by removal of the GTE Cybertrust Root from NSS and the replacement of the certificates in question with 2048-bit RSA.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.