Closed Bug 1037907 Opened 11 years ago Closed 11 years ago

GoDaddy: Valid 1024 certificates

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: kurt, Assigned: rfox)

References

Details

(Whiteboard: BR Compliance - 1024 bit certs)

I have a list of about 11000 certificates from GoDaddy that are still valid, not revoked, and still 1024 bit. At least about 350 of them are still being used. The intermediate CA issuing those is: C = US ST = Arizona L = Scottsdale O = "GoDaddy.com, Inc." OU = http://certificates.godaddy.com/repository CN = Go Daddy Secure Certification Authority serialNumber = 07969287
Blocks: BR-Compliance
Assignee: kwilson → rfox
Whiteboard: BR Compliance - 1024 bit certs
My understanding is that GoDaddy has issued 1024 bit certs prior to BR 1.0 effective date of 01-Jul-12, and those certificates are not subject to the BR Appendix A key requirements. If I'm mistaken and you're aware of newly issued 1024 bit certificates in violation of the BR, I'm very interested to hear of them.
The last certificate I know about was generated on 2011-12-21, the last one I know about expires 2019-07-10. But I do not agree to the interpretation that Appendix A only applies to certificates generated after a certain date. I think it applies to all certificates. I'd like to point out that it makes an exception for root certificates generated before 31 December 2010, so I see no way to interpret so that it doesn't apply to all subscriber certificates. Kurt
This was previously discussed in CA/B Forum, and Kathleen agreed [1] with the interpretation: > Since the BRs effectively cover only certs issued after "the effective > date", does that mean that certs issued before "the effective date" > don't need to be revoked? To be clear, she did note that continued 1024 bit support was not guaranteed, but that does not make this a BR compliance problem. [1] https://cabforum.org/pipermail/public/2013-June/001732.html
The link you posted to says: "Under no circumstances should any party expect continued support for RSA key size smaller than 2048 bits past December 31, 2013." We're now past that, 1024 bit keys should have been gone.
(In reply to Kurt Roeckx from comment #2) > The last certificate I know about was generated on 2011-12-21, the last one > I know about expires 2019-07-10. Given that, and Kathleen's interpretation, there is no BR compliance problem here. GoDaddy may well have a problem when browsers stop accepting 1024-bit certificates, but they've had plenty of warning :-) Gerv
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INVALID
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.