On 12/1/14 9:25 AM, Kathleen Wilson wrote:
On 9/8/14 5:05 PM, Kathleen Wilson wrote:
I posted a security blog about 1024-bit certs...
https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/
"The third and final phase of migrating off of 1024-bit root
certificates involves the changes identified in Bugzilla Bug #986019,
which relates to Equifax root certificates that are owned by Symantec."
https://bugzilla.mozilla.org/show_bug.cgi?id=986019
==
turn off the WebSites and Code Signing trust bits for the following
1024-bit root certificates owned by Symantec.
> Equifax
> Equifax Secure Certificate Authority
> Equifax Secure CA
> 1998 Aug 22
> 2018 Aug 22
> SHA-1
> SHA1 Fingerprint:
D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
> Equifax Secure Inc.
> Equifax Secure Global eBusiness CA-1
> 1999 Jun 21
> 2020 Jun 21
> MD5
> SHA1 Fingerprint:
7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45
==
These changes were made in NSS 3.18, and landed in Firefox 38. However,
when Firefox 38 went into Beta there was a huge spike in the number of
certificate verification errors that are attributed to turning off the
Websites trust bit for the "Equifax Secure Certificate Authority " root.
So, a new bug was filed to temporarily re-enable the trust bits for the
"Equifax Secure Certificate Authority" root.
https://bugzilla.mozilla.org/show_bug.cgi?id=1155279
We will be doing further analysis to determine if we can provide a
smoother transition for website administrators who will be impacted by
this change.
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy