On 2009-05-29 09:22 PDT, Rick Andrews wrote: > On May 28, 3:12 pm, Nelson B Bolyard <nel...@bolyard.me> wrote: >> On 2009-05-28 10:52 PDT, Kathleen Wilson wrote: >> >>> Just to make sure I understand… >>> In the VeriSign case the MD2 roots expire on 2028-08-01, and the SHA1 >>> roots expire on 2028-08-02, so the SHA1 roots would take precedence in >>> NSS. Therefore, there is no benefit in keeping the MD2 roots, and the >>> MD2 roots should be removed when the SHA1 roots are added. >> That is also my understanding. >> ... > > Hold on please - we would like the MD2 roots to remain alongside the > SHA1 roots. The reason is that we have issued several intermediate CAs > from the MD2 root which bear the serial number of the MD2 root in > their AKI extension. When we created the SHA1 roots, we added one day > to the validity period and kept the DN and key the same,
How about the subject key ID? Did it change? > but we gave it a different serial number (that is our practice). Exactly as it should be! > We discovered too late that Firefox uses the AKI to find the issuer, and > if it's not found, Firefox does not fall back to other methods (like > using the Issuer DN, as other browsers do). The behavior you describe above is true for Firefox 2.0.x and older Mozilla browsers. It was changed in July 2008, and the change appears in all these products/versions and their successors: - FireFox 3.0.0.0 - Thunderbird 2.0.0.21 - SeaMonkey 1.1.15 - Camino 1.6.7 However, the proposed change to the root certs list (adding a new root and removing an old MD2 root) will only affect new browsers released after this date, and will not affect the root cert lists in old Mozilla browsers such as Firefox 2.0.x because Mozilla has no plans to ever release any new updates to those old releases. > Hence we need the MD2 roots to remain in Firefox until customers renew > and replace their SSL certs signed by intermediates that contain the AKI > extension pointing to the MD2 root. We expect that might take several > years. New Mozilla browsers released after this date do not and will not have the problem you described above. So, it should not be necessary to retain the MD2 certs in the root list for these new browser products. This change will have no effect on older browsers that are not updated. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
