[SSL Observatory] Number of CAs

Daniel Kahn Gillmor dkg at fifthhorseman.net
Thu Dec 8 11:26:39 PST 2011


On 12/08/2011 02:01 PM, Erwann Abalea wrote:
> Le 8 déc. 2011 19:52, "Daniel Kahn Gillmor" <dkg at fifthhorseman.net> a
> écrit :
> 
> Other (major) organizations
>> rely on a CA chain where the ultimate root uses a 1024-bit RSA key
>> issued 12 years ago and is preposterously claimed to be valid until
>> 2030. Should i simply refuse to visit the web sites who've made the
>> decision to use these CAs?
> 
> Where did you see that? There's no root shorter than 2048bits in the
> Mozilla trust store.

gah, i'm screwing up today, the 1024-bit key expires in 2019, not 2030,
so it's only valid for 9 years after NIST strongly deprecated it, not 20
years.

The certificate chain for https://facebook.com/ points to a final issuer of:

C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits
liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server
Certification Authority

Which is indeed a 1024-bit RSA key with a validity range from May 1999
to May 2019 (attached, with serial number 927650371 (0x374ad243)).

You can use it to validate the connection to facebook if you're into
that sort of thing:

gnutls-cli --x509cafile Entrust.net_Secure_Server_CA.crt facebook.com

The CRL embedded in this certificate
(http://www.entrust.net/CRL/net1.crl) was issued today, and it doesn't
appear to have revoked itself, so it looks like Entrust is still
claiming it's still good for use.

Regards,

	--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: Entrust.net_Secure_Server_CA.crt
Type: application/x-x509-ca-cert
Size: 1740 bytes
Desc: not available
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111208/0ea6d196/attachment.crt>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1030 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111208/0ea6d196/attachment.sig>


More information about the Observatory mailing list