Peter Bowen has suggested that the G2 root should be considered the same way, since it seems to be used for the same purpose as the one Google referenced:
https://twitter.com/pzb/status/675354162071252992 I believe this censys.io link is a (slightly) friendlier way of showing the same thing: https://www.censys.io/certificates?q=parsed.subject.common_name%3APrivate+AND+parsed.subject.organization%3ASymantec+and+parsed.extensions.basic_constraints.is_ca%3Atrue -- Eric On Sat, Dec 12, 2015 at 6:41 PM, Kurt Roeckx <k...@roeckx.be> wrote: > Hi, > > It seems that Symantec will stop using the "VeriSign G1" root > certificate. In the announcement[1] they say: "Browsers may > remove TLS/SSL support for certificates issued from these roots." > > The name of the certificate seems to be "Class 3 Public Primary > Certification Authority". > > It seems google plans[2] to remove the TLS trust bits, and distrut > it instead. > > The announcement says that it's also used for code signing, but > it's not clear that it's still going to be used for that or not. > > Should Mozilla follow and disable the TLS trust bits? Add it to > the distrusted list? > > > Kurt > > [1]: > https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941&actp=LIST&viewlocale=en_US > [2]: > https://googleonlinesecurity.blogspot.be/2015/12/proactive-measures-in-digital.html > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy