If you received email today stating that one or more of your certificates was revoked than this action was initiated by CAcert. See the announcement on the blog.
For more background information see the Arbitration page and Hanno Böck’s blog post.
A short summary, some certificates were found for private keys which could easily be cracked because of one of the following reasons:
- Their modulus size is small (y 1024 bits) and therefore quickly be “brute forced” with usual desktop computers.
- They use an small exponent which is vulnerable to well known cryptographic attacks
- They used a key generated by a buggy debian system (see Debian Vulnerability).
The CAcert web page has now been modified not to accept such weak keys for certificates in the future.
We wish to thank Hanno Böck for notifying us of this problem and giving us enough time to fix it before publishing it.
great stuff, at least the CAcert improvement issue is far from the DigiNotar or comodogate breach. Please be careful when you visit Hanno Böck’s blog , I noticed an XSS warning in NoScript and an attempt to log me in to flattr.
@Morten.Gulbrandsen:
I’m not aware of any such problems on my blog. I’ve tested it with noscript, but I see no warning indicating anything like XSS.
Could you please get in touch with me, so we can try to sort out any issues there might be with my blog?