Re: Propose Removal of E-Guven root
On 4/14/15 8:50 AM, yuhongbao_...@hotmail.com wrote: On Thursday, March 19, 2015 at 1:02:06 PM UTC-7, Peter Bowen wrote: On Wed, Mar 18, 2015 at 12:40 PM, Kathleen Wilson kwil...@mozilla.com wrote: I propose removing the following root cert from NSS, due to inadequate audit statements. Issuer: CN = e-Guven Kok Elektronik Sertifika Hizmet Saglayicisi O = Elektronik Bilgi Guvenligi A.S. C = TR In the Pilot CT log, which includes every certificate that the Google crawler has seen, I found 19 unexpired certificates issued by this CA. Their subjects are as follows (using the default OpenSSL DN to string method): snip FYI, the cert for ttgoldguide.com was just renewed, at first with a 1024-bit DSA cert that was probably a mistake: snip Of course it has been replaced with a 1024-bit RSA certificate Thanks to all of you who participated in this discussion and provided data about certificates this CA hierarchy. We are proceeding with the removal of this root certificate in the following bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1145270 This change is in NSS 3.18.1, which is expected to land in Firefox 38. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Security Blog about 1024-bit certs
On 12/1/14 9:25 AM, Kathleen Wilson wrote: On 9/8/14 5:05 PM, Kathleen Wilson wrote: I posted a security blog about 1024-bit certs... https://blog.mozilla.org/security/2014/09/08/phasing-out-certificates-with-1024-bit-rsa-keys/ The third and final phase of migrating off of 1024-bit root certificates involves the changes identified in Bugzilla Bug #986019, which relates to Equifax root certificates that are owned by Symantec. https://bugzilla.mozilla.org/show_bug.cgi?id=986019 == turn off the WebSites and Code Signing trust bits for the following 1024-bit root certificates owned by Symantec. Equifax Equifax Secure Certificate Authority Equifax Secure CA 1998 Aug 22 2018 Aug 22 SHA-1 SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A Equifax Secure Inc. Equifax Secure Global eBusiness CA-1 1999 Jun 21 2020 Jun 21 MD5 SHA1 Fingerprint: 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45 == These changes were made in NSS 3.18, and landed in Firefox 38. However, when Firefox 38 went into Beta there was a huge spike in the number of certificate verification errors that are attributed to turning off the Websites trust bit for the Equifax Secure Certificate Authority root. So, a new bug was filed to temporarily re-enable the trust bits for the Equifax Secure Certificate Authority root. https://bugzilla.mozilla.org/show_bug.cgi?id=1155279 We will be doing further analysis to determine if we can provide a smoother transition for website administrators who will be impacted by this change. Thanks, Kathleen ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy