Closed
Bug 1026741
Opened 11 years ago
Closed 8 years ago
ECCE: Issuing 1024 bit certificates
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kurt, Assigned: steve.medin, Mentored)
References
Details
(Whiteboard: BR Compliance)
Hi,
I found 7 certificates issued last week with a 1024 bit RSA key. The trust path is:
CN = GTE CyberTrust Global Root, OU = "GTE CyberTrust Solutions, Inc.", O = GTE Corporation, C = US
CN = ECRaizEstado, O = SCEE, C = PT
CN = ECCE, OU = ECEstado, O = SCEE, C = PT
Kurt
Comment 1•11 years ago
|
||
Steven,
I'm concerned that:
1) There are still 1024-bit certs being issued
2) There are still certs being issued in the "GTE CyberTrust Global Root" hierarchy, but that root is on track to be removed in Firefox 32 (bug #936304).
Mentor: steve.medin
Updated•11 years ago
|
Blocks: BR-Compliance
Updated•11 years ago
|
Assignee: kwilson → steve.medin
Whiteboard: BR Compliance
Assignee | ||
Comment 2•11 years ago
|
||
Customers who continue to use the GTE CyberTrust Global Root do not require trust in Firefox. While the root will remain under WebTrust audit, it will transition to treatment as a private community PKI. Customers are entitled to issue certificates under the GTE root that suit the abilities of their environment. In some cases, this may involve hard-coded trust chains, firmware embedments that are fielded and incapable of remote update, or in rare cases, dependency on 1024-bit support.
Given the extension of trust of the GTE root to September, we will contact SCEE and respond further regarding this matter.
Comment 3•11 years ago
|
||
Re comment #2: I infer that the GTE CyberTrust Global Root might thus be removed from NSS. Is this correct?
Assignee | ||
Comment 4•11 years ago
|
||
Correct David, but in FF32 since mozilla::pkix was slotted first, so we're contacting the PKI owner since the offense extends to September unless corrected now.
Assignee | ||
Comment 5•11 years ago
|
||
The ECCE CA currently forbids issuance of 1024-bit keys. The PKI operator, Multicert, reports that 8 SSL certificates exist with key size violations. All 8 subject entities have been contacted to replace their certificates immediately and we will receive progress reports in the days to come.
An action call for the replacement of the intermediate SCEE CA to the version signed under the Baltimore CyberTrust Root has been communicated to all end entities reliant on this PKI. Multicert serve the organization CEGER ((www.ceger.gov.pt) who are responsible for the use of this PKI in Portuguese e-government.
Reporter | ||
Comment 6•11 years ago
|
||
I see a 40 certificates that are within it's validity period that have a 1024 bit RSA key. None of them are currently revoked.
Comment 7•10 years ago
|
||
Removal of the GTE CyberTrust root is bug 1047011.
Gerv
Comment 8•10 years ago
|
||
Some still unfixed sites:
https://www.dgs.pt/
http://www.emfa.pt/ (but only a redirect, and will expire soon anyway)
https://www.gov-madeira.pt/
https://visitportugal.com
Comment 9•10 years ago
|
||
> but only a redirect
Not true, actually, I found a login form using https:
https://www.emfa.pt/www/faponline/aceder
Of course, it will still expire soon anyway.
Comment 10•8 years ago
|
||
Please close this bug as having been resolved by removal of the GTE Cybertrust Root from NSS and the replacement of the certificates in question with 2048-bit RSA.
Updated•8 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•