On 12/08/2011 02:01 PM, Erwann Abalea wrote: > Le 8 déc. 2011 19:52, "Daniel Kahn Gillmor" <[email protected]> a > écrit : > > Other (major) organizations >> rely on a CA chain where the ultimate root uses a 1024-bit RSA key >> issued 12 years ago and is preposterously claimed to be valid until >> 2030. Should i simply refuse to visit the web sites who've made the >> decision to use these CAs? > > Where did you see that? There's no root shorter than 2048bits in the > Mozilla trust store.
gah, i'm screwing up today, the 1024-bit key expires in 2019, not 2030, so it's only valid for 9 years after NIST strongly deprecated it, not 20 years. The certificate chain for https://facebook.com/ points to a final issuer of: C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server Certification Authority Which is indeed a 1024-bit RSA key with a validity range from May 1999 to May 2019 (attached, with serial number 927650371 (0x374ad243)). You can use it to validate the connection to facebook if you're into that sort of thing: gnutls-cli --x509cafile Entrust.net_Secure_Server_CA.crt facebook.com The CRL embedded in this certificate (http://www.entrust.net/CRL/net1.crl) was issued today, and it doesn't appear to have revoked itself, so it looks like Entrust is still claiming it's still good for use. Regards, --dkg
Entrust.net_Secure_Server_CA.crt
Description: application/x509-ca-cert
signature.asc
Description: OpenPGP digital signature
