On 7/25/14, 3:11 PM, Kathleen Wilson wrote:
== Background ==
We have begun removal of 1024-bit roots with the following 2 bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=936304
-- Remove Entrust.net, GTE CyberTrust, and ValiCert 1024-bit root
certificates from NSS
https://bugzilla.mozilla.org/show_bug.cgi?id=986005
-- Turn off SSL and Code Signing trust bits for VeriSign 1024-bit roots
There are two more sets of 1024-bit root changes that will need to follow:
https://bugzilla.mozilla.org/show_bug.cgi?id=986014
-- Remove Thawte 1024-bit roots
https://bugzilla.mozilla.org/show_bug.cgi?id=986019
-- Turn off SSL and Code Signing trust bits for Equifax 1024-bit roots
== Problem ==
Some web server administrators have not updated their web servers to
provide a new intermediate certificate signed by a newer root, even
though the CA has implored them to do so. For those websites, users may
get the Untrusted Connection error when the old root is removed.
== For this batch of root changes ==
We are still investigating if we should use this possible solution for
this batch of root changes. Please stay tuned and continue to share data
and test results that should be considered.
Here's what we are doing for this first batch of root changes that was
made in NSS 3.16.3, and is currently in Firefox 32, which is in Beta.
NSS 3.16.4 will be created and included in Firefox 32. It will only
contain these two changes:
1) https://bugzilla.mozilla.org/show_bug.cgi?id=1045189 -- Add the
2048-bit version of the "USERTrust Legacy Secure Server CA" intermediate
cert to NSS, this intermediate cert expires in November 2015.
2) https://bugzilla.mozilla.org/show_bug.cgi?id=1046343 -- Backout
removal of the 1024-bit GTE CyberTrust Global Root
I have filed another bug to make a new plan for migration off of the
1024-bit GTE CyberTrust Global Root, and then remove it.
https://bugzilla.mozilla.org/show_bug.cgi?id=1047011
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy