Re: Removal of 1024 bit CA roots - interoperability

Thu, 31 Jul 2014 13:19:38 -0700 

On 7/25/14, 3:11 PM, Kathleen Wilson wrote:

== Background ==
We have begun removal of 1024-bit roots with the following 2 bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=936304
  -- Remove Entrust.net, GTE CyberTrust, and ValiCert 1024-bit root
certificates  from NSS
https://bugzilla.mozilla.org/show_bug.cgi?id=986005
  -- Turn off SSL and Code Signing trust bits for VeriSign 1024-bit roots

There are two more sets of 1024-bit root changes that will need to follow:
https://bugzilla.mozilla.org/show_bug.cgi?id=986014
  -- Remove Thawte 1024-bit roots
https://bugzilla.mozilla.org/show_bug.cgi?id=986019
-- Turn off SSL and Code Signing trust bits for Equifax 1024-bit roots

== Problem ==
Some web server administrators have not updated their web servers to
provide a new intermediate certificate signed by a newer root, even
though the CA has implored them to do so. For those websites, users may
get the Untrusted Connection error when the old root is removed.

== For this batch of root changes ==

We are still investigating if we should use this possible solution for
this batch of root changes. Please stay tuned and continue to share data
and test results that should be considered.
Here's what we are doing for this first batch of root changes that was made in NSS 3.16.3, and is currently in Firefox 32, which is in Beta.
NSS 3.16.4 will be created and included in Firefox 32. It will only contain these two changes:
1) https://bugzilla.mozilla.org/show_bug.cgi?id=1045189 -- Add the 2048-bit version of the "USERTrust Legacy Secure Server CA" intermediate cert to NSS, this intermediate cert expires in November 2015.
2) https://bugzilla.mozilla.org/show_bug.cgi?id=1046343 -- Backout removal of the 1024-bit GTE CyberTrust Global Root
I have filed another bug to make a new plan for migration off of the 1024-bit GTE CyberTrust Global Root, and then remove it. 
https://bugzilla.mozilla.org/show_bug.cgi?id=1047011

Thanks,
Kathleen

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to