Re: Remove trust of Symantec's Class 3 Public Primary Certification Authority?

2015-12-15 Thread Jakob Bohm 

On 15/12/2015 03:34, Andrew Ayer wrote:

On Sat, 12 Dec 2015 16:56:04 -0800
Yuhong Bao  wrote:


I think this and most of the other 1024-bit roots was removed or
restricted to email in Mozilla some time ago (last remaining one is
Equifax). They had been consider obsolete for a long time.


Indeed, the Verisign Class 3 Public Primary Certification Authority is
currently email-only.  I'm curious if there's any reason the email
trust bit should not be removed as well, considering that Symantec's
announcement[1] only lists TLS and code signing as the uses of this
root.

Thanks,
Andrew

[1] 
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941&actp=LIST&viewlocale=en_US



Please note that while someone in this group successfully lobbied to
remove the "code-signing" trust bits across the board, the Mozilla CA
list is still one of the primary sources of general CA lists in open
source projects that don't have the clout to maintain ongoing close
contractual relationships with the CAs.  And those other projects have
not made the mistake of replacing the code signing bit by a closed
garden god key of their own.

Thus one must also consider the code signing usage before removing a
certificate.  And in the code signing world, one major software vendor
is consistently refusing to patch its software to accept modern
signature algorithms, thus forcing SHA-1 code signing certificates to
remain in use for the foreseeable future.

Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remove trust of Symantec's Class 3 Public Primary Certification Authority?

2015-12-14 Thread Andrew Ayer 
On Sat, 12 Dec 2015 16:56:04 -0800
Yuhong Bao  wrote:

> I think this and most of the other 1024-bit roots was removed or
> restricted to email in Mozilla some time ago (last remaining one is
> Equifax). They had been consider obsolete for a long time.

Indeed, the Verisign Class 3 Public Primary Certification Authority is
currently email-only.  I'm curious if there's any reason the email
trust bit should not be removed as well, considering that Symantec's
announcement[1] only lists TLS and code signing as the uses of this
root.

Thanks,
Andrew

[1] 
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941&actp=LIST&viewlocale=en_US
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remove trust of Symantec's Class 3 Public Primary Certification Authority?

2015-12-13 Thread Eric Mill 
Sorry, you're right -- I inferred incorrectly from filtering censys.io on
key size.

On Sat, Dec 12, 2015 at 9:56 PM, Yuhong Bao 
wrote:

> The VeriSign "Class 3 Public Primary Certification Authority - G2" is also
> 1024-bit.
>
> 
> > Date: Sat, 12 Dec 2015 20:07:57 -0500
> > Subject: RE: Remove trust of Symantec's Class 3 Public Primary
> Certification Authority?
> > From: e...@konklone.com
> > To: yuhongbao_...@hotmail.com
> > CC: mozilla-dev-security-pol...@lists.mozilla.org; k...@roeckx.be
> >
> > The G2 root identified by Peter is 2048-bit.
> >
> > -- Eric
> > On Dec 12, 2015 7:56 PM, "Yuhong Bao"  wrote:
> >
> >> I think this and most of the other 1024-bit roots was removed or
> >> restricted to email in Mozilla some time ago (last remaining one is
> >> Equifax). They had been consider obsolete for a long time.
> >>
> >>> Date: Sun, 13 Dec 2015 00:41:45 +0100
> >>> From: k...@roeckx.be
> >>> To: mozilla-dev-security-pol...@lists.mozilla.org
> >>> Subject: Remove trust of Symantec's Class 3 Public Primary
> >> Certification Authority?
> >>>
> >>> Hi,
> >>>
> >>> It seems that Symantec will stop using the "VeriSign G1" root
> >>> certificate. In the announcement[1] they say: "Browsers may
> >>> remove TLS/SSL support for certificates issued from these roots."
> >>>
> >>> The name of the certificate seems to be "Class 3 Public Primary
> >>> Certification Authority".
> >>>
> >>> It seems google plans[2] to remove the TLS trust bits, and distrut
> >>> it instead.
> >>>
> >>> The announcement says that it's also used for code signing, but
> >>> it's not clear that it's still going to be used for that or not.
> >>>
> >>> Should Mozilla follow and disable the TLS trust bits? Add it to
> >>> the distrusted list?
> >>>
> >>>
> >>> Kurt
> >>>
> >>> [1]:
> >>
> https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941&actp=LIST&viewlocale=en_US
> >>> [2]:
> >>
> https://googleonlinesecurity.blogspot.be/2015/12/proactive-measures-in-digital.html
> >>>
> >>> ___
> >>> dev-security-policy mailing list
> >>> dev-security-policy@lists.mozilla.org
> >>> https://lists.mozilla.org/listinfo/dev-security-policy
> >>
> >> ___
> >> dev-security-policy mailing list
> >> dev-security-policy@lists.mozilla.org
> >> https://lists.mozilla.org/listinfo/dev-security-policy
> >>
> > ___
> > dev-security-policy mailing list
> > dev-security-policy@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-security-policy
>
>



-- 
konklone.com | @konklone <https://twitter.com/konklone>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Remove trust of Symantec's Class 3 Public Primary Certification Authority?

2015-12-12 Thread Yuhong Bao 
The VeriSign "Class 3 Public Primary Certification Authority - G2" is also 
1024-bit.


> Date: Sat, 12 Dec 2015 20:07:57 -0500
> Subject: RE: Remove trust of Symantec's Class 3 Public Primary Certification 
> Authority?
> From: e...@konklone.com
> To: yuhongbao_...@hotmail.com
> CC: mozilla-dev-security-pol...@lists.mozilla.org; k...@roeckx.be
>
> The G2 root identified by Peter is 2048-bit.
>
> -- Eric
> On Dec 12, 2015 7:56 PM, "Yuhong Bao"  wrote:
>
>> I think this and most of the other 1024-bit roots was removed or
>> restricted to email in Mozilla some time ago (last remaining one is
>> Equifax). They had been consider obsolete for a long time.
>>
>>> Date: Sun, 13 Dec 2015 00:41:45 +0100
>>> From: k...@roeckx.be
>>> To: mozilla-dev-security-pol...@lists.mozilla.org
>>> Subject: Remove trust of Symantec's Class 3 Public Primary
>> Certification Authority?
>>>
>>> Hi,
>>>
>>> It seems that Symantec will stop using the "VeriSign G1" root
>>> certificate. In the announcement[1] they say: "Browsers may
>>> remove TLS/SSL support for certificates issued from these roots."
>>>
>>> The name of the certificate seems to be "Class 3 Public Primary
>>> Certification Authority".
>>>
>>> It seems google plans[2] to remove the TLS trust bits, and distrut
>>> it instead.
>>>
>>> The announcement says that it's also used for code signing, but
>>> it's not clear that it's still going to be used for that or not.
>>>
>>> Should Mozilla follow and disable the TLS trust bits? Add it to
>>> the distrusted list?
>>>
>>>
>>> Kurt
>>>
>>> [1]:
>> https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941&actp=LIST&viewlocale=en_US
>>> [2]:
>> https://googleonlinesecurity.blogspot.be/2015/12/proactive-measures-in-digital.html
>>>
>>> ___
>>> dev-security-policy mailing list
>>> dev-security-policy@lists.mozilla.org
>>> https://lists.mozilla.org/listinfo/dev-security-policy
>>
>> ___
>> dev-security-policy mailing list
>> dev-security-policy@lists.mozilla.org
>> https://lists.mozilla.org/listinfo/dev-security-policy
>>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
  
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Remove trust of Symantec's Class 3 Public Primary Certification Authority?

2015-12-12 Thread Eric Mill 
The G2 root identified by Peter is 2048-bit.

-- Eric
On Dec 12, 2015 7:56 PM, "Yuhong Bao"  wrote:

> I think this and most of the other 1024-bit roots was removed or
> restricted to email in Mozilla some time ago (last remaining one is
> Equifax). They had been consider obsolete for a long time.
>
> > Date: Sun, 13 Dec 2015 00:41:45 +0100
> > From: k...@roeckx.be
> > To: mozilla-dev-security-pol...@lists.mozilla.org
> > Subject: Remove trust of Symantec's Class 3 Public Primary
> Certification  Authority?
> >
> > Hi,
> >
> > It seems that Symantec will stop using the "VeriSign G1" root
> > certificate. In the announcement[1] they say: "Browsers may
> > remove TLS/SSL support for certificates issued from these roots."
> >
> > The name of the certificate seems to be "Class 3 Public Primary
> > Certification Authority".
> >
> > It seems google plans[2] to remove the TLS trust bits, and distrut
> > it instead.
> >
> > The announcement says that it's also used for code signing, but
> > it's not clear that it's still going to be used for that or not.
> >
> > Should Mozilla follow and disable the TLS trust bits? Add it to
> > the distrusted list?
> >
> >
> > Kurt
> >
> > [1]:
> https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941&actp=LIST&viewlocale=en_US
> > [2]:
> https://googleonlinesecurity.blogspot.be/2015/12/proactive-measures-in-digital.html
> >
> > ___
> > dev-security-policy mailing list
> > dev-security-policy@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-security-policy
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

RE: Remove trust of Symantec's Class 3 Public Primary Certification Authority?

2015-12-12 Thread Yuhong Bao 
I think this and most of the other 1024-bit roots was removed or restricted to 
email in Mozilla some time ago (last remaining one is Equifax). They had been 
consider obsolete for a long time.

> Date: Sun, 13 Dec 2015 00:41:45 +0100
> From: k...@roeckx.be
> To: mozilla-dev-security-pol...@lists.mozilla.org
> Subject: Remove trust of Symantec's Class 3 Public Primary Certification  
> Authority?
> 
> Hi,
> 
> It seems that Symantec will stop using the "VeriSign G1" root
> certificate. In the announcement[1] they say: "Browsers may
> remove TLS/SSL support for certificates issued from these roots."
> 
> The name of the certificate seems to be "Class 3 Public Primary
> Certification Authority".
> 
> It seems google plans[2] to remove the TLS trust bits, and distrut
> it instead.
> 
> The announcement says that it's also used for code signing, but
> it's not clear that it's still going to be used for that or not.
> 
> Should Mozilla follow and disable the TLS trust bits? Add it to
> the distrusted list?
> 
> 
> Kurt
> 
> [1]: 
> https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941&actp=LIST&viewlocale=en_US
> [2]: 
> https://googleonlinesecurity.blogspot.be/2015/12/proactive-measures-in-digital.html
> 
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
  
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Re: Remove trust of Symantec's Class 3 Public Primary Certification Authority?

2015-12-12 Thread Eric Mill 
Peter Bowen has suggested that the G2 root should be considered the same
way, since it seems to be used for the same purpose as the one Google
referenced:

https://twitter.com/pzb/status/675354162071252992

I believe this censys.io link is a (slightly) friendlier way of showing the
same thing:

https://www.censys.io/certificates?q=parsed.subject.common_name%3APrivate+AND+parsed.subject.organization%3ASymantec+and+parsed.extensions.basic_constraints.is_ca%3Atrue

-- Eric

On Sat, Dec 12, 2015 at 6:41 PM, Kurt Roeckx  wrote:

> Hi,
>
> It seems that Symantec will stop using the "VeriSign G1" root
> certificate.  In the announcement[1] they say: "Browsers may
> remove TLS/SSL support for certificates issued from these roots."
>
> The name of the certificate seems to be "Class 3 Public Primary
> Certification Authority".
>
> It seems google plans[2] to remove the TLS trust bits, and distrut
> it instead.
>
> The announcement says that it's also used for code signing, but
> it's not clear that it's still going to be used for that or not.
>
> Should Mozilla follow and disable the TLS trust bits?  Add it to
> the distrusted list?
>
>
> Kurt
>
> [1]:
> https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941&actp=LIST&viewlocale=en_US
> [2]:
> https://googleonlinesecurity.blogspot.be/2015/12/proactive-measures-in-digital.html
>
> ___
> dev-security-policy mailing list
> dev-security-policy@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>



-- 
konklone.com | @konklone 
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Remove trust of Symantec's Class 3 Public Primary Certification Authority?

2015-12-12 Thread Kurt Roeckx 
Hi,

It seems that Symantec will stop using the "VeriSign G1" root
certificate.  In the announcement[1] they say: "Browsers may
remove TLS/SSL support for certificates issued from these roots."

The name of the certificate seems to be "Class 3 Public Primary
Certification Authority".

It seems google plans[2] to remove the TLS trust bits, and distrut
it instead.

The announcement says that it's also used for code signing, but
it's not clear that it's still going to be used for that or not.

Should Mozilla follow and disable the TLS trust bits?  Add it to
the distrusted list?


Kurt

[1]: 
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941&actp=LIST&viewlocale=en_US
[2]: 
https://googleonlinesecurity.blogspot.be/2015/12/proactive-measures-in-digital.html

___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy