Bonsoir Daniel, 2011/12/8 Daniel Kahn Gillmor <[email protected]>
> On 12/08/2011 02:01 PM, Erwann Abalea wrote: > > Le 8 déc. 2011 19:52, "Daniel Kahn Gillmor" <[email protected]> a > > écrit : > > > > Other (major) organizations > >> rely on a CA chain where the ultimate root uses a 1024-bit RSA key > >> issued 12 years ago and is preposterously claimed to be valid until > >> 2030. Should i simply refuse to visit the web sites who've made the > >> decision to use these CAs? > > > > Where did you see that? There's no root shorter than 2048bits in the > > Mozilla trust store. > > gah, i'm screwing up today, the 1024-bit key expires in 2019, not 2030, > so it's only valid for 9 years after NIST strongly deprecated it, not 20 > years. > > The certificate chain for https://facebook.com/ points to a final issuer > of: > > C=US,O=Entrust.net,OU=www.entrust.net/CPS incorp. by ref. (limits > liab.),OU=(c) 1999 Entrust.net Limited,CN=Entrust.net Secure Server > Certification Authority > Strange. Asking with OpenSSL shows a path up to VeriSign (a 2048 bits key). Using Firefox or Safari shows a path up to DigiCert (a 2048 bits key). I'm in France. > Which is indeed a 1024-bit RSA key with a validity range from May 1999 > to May 2019 (attached, with serial number 927650371 (0x374ad243)). > > You can use it to validate the connection to facebook if you're into > that sort of thing: > > gnutls-cli --x509cafile Entrust.net_Secure_Server_CA.crt facebook.com > > The CRL embedded in this certificate > (http://www.entrust.net/CRL/net1.crl) was issued today, and it doesn't > appear to have revoked itself, so it looks like Entrust is still > claiming it's still good for use. > > A root can't revoke itself. Trust has to come off-band, and is removed off-band. -- Erwann.
