On 05/08/14 09:34, Rob Stradling wrote:
Kathleen, to work around the classic NSS path building behaviour you
observed yesterday, we will issue another cross-certificate to
USERTrust Legacy Secure Server CA, with a newer notBefore date, from
our AddTrust External CA Root built-in root.
Then, you
- Original Message -
From: Kurt Roeckx k...@roeckx.be
To: Hubert Kario hka...@redhat.com
Cc: Kathleen Wilson kwil...@mozilla.com,
mozilla-dev-security-pol...@lists.mozilla.org
Sent: Tuesday, August 5, 2014 12:44:13 AM
Subject: Re: Removal of 1024 bit CA roots - interoperability
On 2014-08-05 14:22, Hubert Kario wrote:
0.05% of sites doesn't mean 0.05% of users, especially if we look at local, not
global,
user share. Some of them are high profile sites, e.g.:
volkswagen.at, dell.com, cadillaceurope.com, www.portaldasfinancas.gov.pt
It's not because they have an https
- Original Message -
From: Hubert Kario hka...@redhat.com
- Original Message -
From: Kathleen Wilson kwil...@mozilla.com
== For this batch of root changes ==
We are still investigating if we should use this possible solution for
this batch of root changes. Please
Hubert, what's your conclusion of your analysis?
Thanks
Kai
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
On Mon, Aug 04, 2014 at 10:03:13AM -0400, Hubert Kario wrote:
So I've analysed the data.
Change (without-with) Count
-+-
complete -219
incomplete+120
untrusted +99
So this is in the order of 0.05%
On 7/31/14, 1:17 PM, Kathleen Wilson wrote:
Here's what we are doing for this first batch of root changes that was
made in NSS 3.16.3, and is currently in Firefox 32, which is in Beta.
NSS 3.16.4 will be created and included in Firefox 32. It will only
contain these two changes:
1)
On Mon, Aug 4, 2014 at 3:52 PM, Kathleen Wilson kwil...@mozilla.com wrote:
It turns out that including the 2048-bit version of the cross-signed
intermediate certificate does not help NSS at all. It would only help
Firefox, and would cause confusion.
That isn't true, AFAICT.
It works for
Hubert Kario hka...@redhat.com wrote:
Brian Smith wrote:
It depends on your definition of help. I assume the goal is to
encourage websites to migrate from 1024-bit signatures to RSA-2048-bit
or ECDSA-P-256 signatures. If so, then including the intermediates in
NSS so that all NSS-based
On 7/25/14, 3:11 PM, Kathleen Wilson wrote:
== Background ==
We have begun removal of 1024-bit roots with the following 2 bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=936304
-- Remove Entrust.net, GTE CyberTrust, and ValiCert 1024-bit root
certificates from NSS
-bounces+steve.medin=verizonbusiness@lists.mo
zilla.org] On Behalf Of Kathleen Wilson
Sent: Monday, July 28, 2014 4:29 PM
To: mozilla-dev-security-pol...@lists.mozilla.org
Subject: Re: Removal of 1024 bit CA roots - interoperability
On 7/25/14, 3:11 PM, Kathleen Wilson wrote:
On 7/4/14, 6:27 AM
The newly released NSS 3.16.3 doesn't include 1024 bit CA certificates
any more[1]. This will of course impact users of servers that still use
it.
Interestingly, some intermediate CA certificates that were originally
signed by those 1024 bit CA certificates got cross signed using
different roots
On Fri, Jul 04, 2014 at 09:27:49AM -0400, Hubert Kario wrote:
The newly released NSS 3.16.3 doesn't include 1024 bit CA certificates
any more[1]. This will of course impact users of servers that still use
it.
Interestingly, some intermediate CA certificates that were originally
signed by
Hubert Kario hka...@redhat.com writes:
Problem is, that some administrators haven't updated their servers
to provide the new intermediate certificate for 3 years. As such,
I don't think we can realistically expect all of them to update their
configuration now.
That is not surprising. IME
14 matches
Mail list logo