what I'd like to see
Is the transcripts of Mozilla's conversations with these CA's.
Mozilla is about to revoke some weak X.509 PKI certs, and has warned sysadmins that it will affect the Firefox browser and they'll need to assess their infrastructure. The four affected root certificates from Entrust and ValiCert are marked for removal because they contained weak keys. A further seven from CyberTrust, Thawte …
Check the archives of Mozilla's dev-security-policy mailing list, where all actions are discussed according to the Mozilla CA policy.
Check the "bugs" in the "CA Certificates" in the bugzilla.mozilla.org system, where all interaction with CAs is publicly tracked, e.g. a search for "1024" within that component:
"Admins could run the command '$ openssl s_client -showcerts -connect kuix.de:443' to assess if their infrastructure depended on the affected certificates"
The command given is just an example. Running that command will show you what certs kuix.de:443 is using, not your own site.
The original article phrases it better: "For example, you could try to use a command like this[...]"
It's a fine distinction, but I would hold el reg to higher techy standards than a broadsheet rag.
I've just queried this with both Mozilla and Entrust - as we have a large number of sites with Entrust SSL certs.
Just to clarify, Mozilla are removing the 1024bit root and intermediate certificates, and therefore any certs with those in the key chain will fail.
However, any SSL cert bought within the last 18 months (from Entrust at least) uses the 2048bit root and intermediate certificate chain, and these will not be affected.
What I'd like to see - not just from Moz - is a discussion about why there are so many root certs included in the first place, a discussion and documentation of why each one is in there and information about who precisely some of these root authorities are.
Only then can people make educated decisions about the security of PKI and the removal of certain root certs from their browser. Most of them seem to be distributed for historical reasons and nobody cared about these companies - rogue cert authorities with lax security (physical and technical) can easily start quietly distributing certs for your bank or software drivers that can insert themselves into the kernel on windows boxes.
Biting the hand that feeds IT © 1998–2021