[SSL Observatory] Number of CAs

[Erwann Abalea]

Bonsoir Daniel,

2011/12/8 Daniel Kahn Gillmor <dkg at fifthhorseman.net>

> On 12/08/2011 02:01 PM, Erwann Abalea wrote:
> > Le 8 déc. 2011 19:52, "Daniel Kahn Gillmor" <dkg at fifthhorseman.net> a
> > écrit :
> >
> > Other (major) organizations
> >> rely on a CA chain where the ultimate root uses a 1024-bit RSA key
> >> issued 12 years ago and is preposterously claimed to be valid until
> >> 2030. Should i simply refuse to visit the web sites who've made the
> >> decision to use these CAs?
> >
> > Where did you see that? There's no root shorter than 2048bits in the
> > Mozilla trust store.
>
> gah, i'm screwing up today, the 1024-bit key expires in 2019, not 2030,
> so it's only valid for 9 years after NIST strongly deprecated it, not 20
> years.
>
> The certificate chain for https://facebook.com/ points to a final issuer
> of:
>
> C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits
> liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server
> Certification Authority
>

Strange. Asking with OpenSSL shows a path up to VeriSign (a 2048 bits key).
Using Firefox or Safari shows a path up to DigiCert (a 2048 bits key). I'm
in France.


> Which is indeed a 1024-bit RSA key with a validity range from May 1999
> to May 2019 (attached, with serial number 927650371 (0x374ad243)).
>
> You can use it to validate the connection to facebook if you're into
> that sort of thing:
>
> gnutls-cli --x509cafile Entrust.net_Secure_Server_CA.crt facebook.com
>
> The CRL embedded in this certificate
> (http://www.entrust.net/CRL/net1.crl) was issued today, and it doesn't
> appear to have revoked itself, so it looks like Entrust is still
> claiming it's still good for use.
>
>
A root can't revoke itself. Trust has to come off-band, and is removed
off-band.

-- 
Erwann.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.eff.org/pipermail/observatory/attachments/20111208/22c8383f/attachment.html>