If you received email today stating that one or more of your certificates was revoked than this action was initiated by CAcert. See the announcement on the blog.
For more background information see the Arbitration page and Hanno Böck’s blog post.
A short summary, some certificates were found for private keys which could easily be cracked because of one of the following reasons:
- Their modulus size is small (y 1024 bits) and therefore quickly be “brute forced” with usual desktop computers.
- They use an small exponent which is vulnerable to well known cryptographic attacks
- They used a key generated by a buggy debian system (see Debian Vulnerability).
The CAcert web page has now been modified not to accept such weak keys for certificates in the future.
We wish to thank Hanno Böck for notifying us of this problem and giving us enough time to fix it before publishing it.