Note that that certificate was not removed from NSS, but rather had its trust bits edited so that it is only trusted for TLS server authentication: https://bugzilla.mozilla.org/show_bug.cgi?id=1851044#c0
On Mon, Nov 18, 2024 at 11:30 AM 'Matthew McPherrin' via [email protected] <[email protected]> wrote: > Ah, that's Autoridad de Certificacion Firmaprofesional CIF A62634068 > > AEC5FB3FC8E1BFC4E54F03075A9AE800B7F7B6FA > > https://crt.sh/?q=AE%3AC5%3AFB%3A3F%3AC8%3AE1%3ABF%3AC4%3AE5%3A4F%3A03%3A07%3A5A%3A9A%3AE8%3A00%3AB7%3AF7%3AB6%3AFA > > > > On Mon, Nov 18, 2024 at 2:08 PM Aaron Gable <[email protected]> wrote: > >> Ah sorry, I switched the fourth and sixth fingerprints. The sixth one >> (ae:c5:fb:3f:c8:e1:bf:c4:e5:4f:03:07:5a:9a:e8:00:b7:f7:b6:??) is >> unidentified. >> >> On Mon, Nov 18, 2024 at 10:37 AM Matthew McPherrin <[email protected]> >> wrote: >> >>> > The fourth fingerprint >>> (e9:a8:5d:22:14:52:1c:5b:aa:0a:b4:be:24:6a:23:8a:c9:ba:e2) is also one >>> octet short, but I have been unable to identify what certificate it is >>> supposed to match. >>> >>> I think this should be >>> E9:A8:5D:22:14:52:1C:5B:AA:0A:B4:BE:24:6A:23:8A:C9:BA:E2:A9 - >>> E-Tugra Global Root CA RSA v3 >>> >>> >>> https://crt.sh/?q=E9%3AA8%3A5D%3A22%3A14%3A52%3A1C%3A5B%3AAA%3A0A%3AB4%3ABE%3A24%3A6A%3A23%3A8A%3AC9%3ABA%3AE2%3AA9 >>> >>> On Mon, Nov 18, 2024 at 12:25 PM 'Aaron Gable' via >>> [email protected] <[email protected]> wrote: >>> >>>> The certificate with >>>> fingerprint ff:bd:cd:e7:82:c8:43:5e:3c:6f:26:86:5c:ca:a8:3a:45:5b:c3:0a >>>> (the first one listed) is TrustCor RootCert CA-1 >>>> <https://crt.sh/?id=19392284>. You can see the email announcing >>>> Mozilla's decision to remove TrustCor from their trust store here >>>> <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ>. >>>> That email thread also contains most of the discussion and deliberation >>>> around why TrustCor was removed, as well as messages from the Microsoft and >>>> Chrome root programs announcing similar distrust decisions. >>>> >>>> The second fingerprint listed does not correspond to any known >>>> certificate, but that is because you have accidentally truncated it by one >>>> octet. I believe it was meant to >>>> be b8:be:6d:cb:56:f1:55:b9:63:d4:12:ca:4e:06:34:c7:94:b2:1c*:c0*, in >>>> which case it matches TrustCor RootCert CA-2 >>>> <https://crt.sh/?id=19392278>, which was distrusted at the same time >>>> as the above. >>>> >>>> The same goes for the third fingerprint. It should >>>> be 58:d1:df:95:95:67:6b:63:c0:f0:5b:1c:17:4d:8b:84:0b:c8:78*:bd*, for >>>> TrustCor >>>> ECA-1 <https://crt.sh/?id=19392274>, which was also removed at the >>>> same time as the above. >>>> >>>> The fourth fingerprint >>>> (e9:a8:5d:22:14:52:1c:5b:aa:0a:b4:be:24:6a:23:8a:c9:ba:e2) is also one >>>> octet short, but I have been unable to identify what certificate it is >>>> supposed to match. >>>> >>>> The certificate with >>>> fingerprint 8a:2f:af:57:53:b1:b0:e6:a1:04:ec:5b:6a:69:71:6d:f6:1c:e2:84 >>>> (the fifth one listed) is E-Tugra Global Root CA ECC v3 >>>> <https://crt.sh/?id=2605043398>. You can see the email announcing >>>> Mozilla's decision to remove E-Tugra from their trust store here >>>> <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A/m/qDXcQu-hBAAJ> >>>> . >>>> >>>> The sixth fingerprint is also missing its final octet. It should be >>>> e9:a8:5d:22:14:52:1c:5b:aa:0a:b4:be:24:6a:23:8a:c9:ba:e2*:a9* to match >>>> E-Tugra >>>> Global Root CA RSA v3 <https://crt.sh/?id=2605037174>, which was >>>> removed from the trust store at the same time as the one above. >>>> >>>> Aaron >>>> >>>> On Mon, Nov 18, 2024 at 8:41 AM M THUG <[email protected]> wrote: >>>> >>>>> Dear Mozilla Firefox Team, >>>>> >>>>> I hope this message finds you well. >>>>> >>>>> I am writing to inquire about the removal of the following SSL/TLS >>>>> certificates from Firefox's trusted certificate store. These certificates >>>>> are identified by the following SHA1 fingerprints: >>>>> >>>>> SHA1 Fingerprint: >>>>> ff:bd:cd:e7:82:c8:43:5e:3c:6f:26:86:5c:ca:a8:3a:45:5b:c3:0a SHA1 >>>>> Fingerprint: b8:be:6d:cb:56:f1:55:b9:63:d4:12:ca:4e:06:34:c7:94:b2:1c SHA1 >>>>> Fingerprint: 58:d1:df:95:95:67:6b:63:c0:f0:5b:1c:17:4d:8b:84:0b:c8:78 SHA1 >>>>> Fingerprint: e9:a8:5d:22:14:52:1c:5b:aa:0a:b4:be:24:6a:23:8a:c9:ba:e2 SHA1 >>>>> Fingerprint: 8a:2f:af:57:53:b1:b0:e6:a1:04:ec:5b:6a:69:71:6d:f6:1c:e2:84 >>>>> SHA1 Fingerprint: ae:c5:fb:3f:c8:e1:bf:c4:e5:4f:03:07:5a:9a:e8:00:b7:f7:b6 >>>>> Could you kindly provide clarification as to why these specific >>>>> certificates were removed? Understanding the rationale behind this >>>>> decision >>>>> will help us assess any potential impact on our systems and ensure that we >>>>> are adhering to the best practices for security. >>>>> >>>>> Thank you in advance for your attention to this matter. I look forward >>>>> to your response. >>>>> >>>>> Best regards, Vamsi >>>>> >>>>> -- >>>>> You received this message because you are subscribed to the Google >>>>> Groups "[email protected]" group. >>>>> To unsubscribe from this group and stop receiving emails from it, send >>>>> an email to [email protected]. >>>>> To view this discussion visit >>>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ffb4ca11-594d-486b-8b55-2f95f0c3eef0n%40mozilla.org >>>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ffb4ca11-594d-486b-8b55-2f95f0c3eef0n%40mozilla.org?utm_medium=email&utm_source=footer> >>>>> . >>>>> >>>> -- >>>> You received this message because you are subscribed to the Google >>>> Groups "[email protected]" group. >>>> To unsubscribe from this group and stop receiving emails from it, send >>>> an email to [email protected]. >>>> To view this discussion visit >>>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErcrE5Fbd%2BSVA9-WTCPYQmgQV4sisMsKtBVOa-XN_%3DJYyw%40mail.gmail.com >>>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErcrE5Fbd%2BSVA9-WTCPYQmgQV4sisMsKtBVOa-XN_%3DJYyw%40mail.gmail.com?utm_medium=email&utm_source=footer> >>>> . >>>> >>> -- > You received this message because you are subscribed to the Google Groups " > [email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKh5S0bcFpLg4ajekjdP7LFquWX-mftmMi%2BZ05LZJJ0VCYPE0g%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKh5S0bcFpLg4ajekjdP7LFquWX-mftmMi%2BZ05LZJJ0VCYPE0g%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAHP1u2j33OeoQp0fdMOz3zhMvK9hvayUBVVS4D8PD7MTRUBpJQ%40mail.gmail.com.
