Jean-Marc Desperrier: > Eddy Nigg wrote: >> [...] >> StartCom has scanned and detected all vulnerable keys and informed the >> affected subscribers. We'll revoke all compromised keys within a short >> time. > > Can you tell how much it represented in percentage of the issued > certificates ?
Yes, I intended to do that later anyway, but I didn't had the final information ready when I previously posted. I can't say for certain right now how many *were* affected overall, because some subscribers requested revocation beforehand and we didn't scanned expired or already revoked keys, but out of all currently valid certificates 1.95 % were/are affected by the Debian bug (Our initial estimates was about 1.66 %). Revocation requests are trickling in due to the messages we sent and I hope that the larger part will have their certificates revoked and re-created during the next few days. The remaining certificates will be revoked forcefully within a short time. With this we took over the responsibilities of our subscribers according to our CP/CPS and our share of approximately 3.5 % of overall legitimate certificates will be "Debian-bug-free". Due to the relative short lifetime of one year for end-user certificates which we issue, I expect that even older browsers will be "safe" within a reasonable time (another reason why not to issue certificates with a longer life-time than one year - a good practice). All certificate signing requests submitted to the StartCom CA are scanned for this vulnerability and effectively since June 2008 no certificates are signed with weak keys. Cheers! -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
