Re: I found some SHA-1 certificates issued by Symantec

2017-01-25 Thread Gervase Markham
On 24/01/17 15:48, Gervase Markham wrote: > That's because it chains up to the following two roots: > > 1) OU=Class 3 Public Primary Certification Authority > https://crt.sh/?caid=25 This root had its SSL bits disabled around June 2014: https://bugzilla.mozilla.org/show_bug.cgi?id=986005

RE: I found some SHA-1 certificates issued by Symantec

2017-01-24 Thread Jeremy Rowley
ty-pol...@lists.mozilla.org; Rob Stradling <rob.stradl...@comodo.com>; Gervase Markham <g...@mozilla.org>; w...@gmail.com Subject: Re: I found some SHA-1 certificates issued by Symantec On Tue, Jan 24, 2017 at 11:08 AM, Peter Bowen <pzbo...@gmail.com> wrote: > On Tue, Jan 24, 2017

Re: I found some SHA-1 certificates issued by Symantec

2017-01-24 Thread Rob Stradling
On 24/01/17 16:19, Rob Stradling wrote: On 24/01/17 16:11, Richard Barnes wrote: If the root was removed in Firefox 51, and they were issuing SHA-1 off of it before 51 shipped, then they were issuing SHA-1 certificates under a root trusted by Firefox. You can use SHA-1 under a pulled root,

Re: I found some SHA-1 certificates issued by Symantec

2017-01-24 Thread Gervase Markham
On 24/01/17 16:08, Peter Bowen wrote: >> Indeed, if they issued these before yesterday, this seems like a problem. > > I'm a little surprised to read this. This SHA-1 "private" hierarchy > is not new news and has been discussed in various forums over the year > or 18 months. At least one other

Re: I found some SHA-1 certificates issued by Symantec

2017-01-24 Thread Rob Stradling
On 24/01/17 16:11, Richard Barnes wrote: If the root was removed in Firefox 51, and they were issuing SHA-1 off of it before 51 shipped, then they were issuing SHA-1 certificates under a root trusted by Firefox. You can use SHA-1 under a pulled root, but it has to actually be pulled first. I

Re: I found some SHA-1 certificates issued by Symantec

2017-01-24 Thread Richard Barnes
On Tue, Jan 24, 2017 at 11:08 AM, Peter Bowen wrote: > On Tue, Jan 24, 2017 at 8:00 AM, Richard Barnes > wrote: > > On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham > wrote: > >> > >> This helpful spreadsheet shows that they were

Re: I found some SHA-1 certificates issued by Symantec

2017-01-24 Thread Peter Bowen
On Tue, Jan 24, 2017 at 8:00 AM, Richard Barnes wrote: > On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham wrote: >> >> This helpful spreadsheet shows that they were removed in Firefox 47 and >> 51 respectively: >>

Re: I found some SHA-1 certificates issued by Symantec

2017-01-24 Thread Gervase Markham
On 24/01/17 16:00, Richard Barnes wrote: > Except of course the non-zero slice of users that haven't updated yet. True, although I think it's unreasonable to give CAs a dependency on the quality of our automatic update infrastructure. We can have a discussion about whether "checked into master"

Re: I found some SHA-1 certificates issued by Symantec

2017-01-24 Thread Richard Barnes
On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham wrote: > On 24/01/17 14:11, w...@gmail.com wrote: > > I was searching on crt.sh and I found something confusing by accident. > > View this page : https://crt.sh/?Identity=%25=7198 > > I can see many SHA-1 certificates issued

Re: I found some SHA-1 certificates issued by Symantec

2017-01-24 Thread Rob Stradling
On 24/01/17 15:48, Gervase Markham wrote: Rob: is the "Trusted by Mozilla" stuff based on the root store on Mozilla's master branch? Hi Gerv. Yes, I aim to keep crt.sh's view of "Trusted by Mozilla" in sync with mozilla-central [1]. [1] was last updated a few days ago, and I pushed the

Re: I found some SHA-1 certificates issued by Symantec

2017-01-24 Thread Gervase Markham
On 24/01/17 14:11, w...@gmail.com wrote: > I was searching on crt.sh and I found something confusing by accident. > View this page : https://crt.sh/?Identity=%25=7198 > I can see many SHA-1 certificates issued in 2016 and one is issued in 2017. Your list is a list of certificates issued by

I found some SHA-1 certificates issued by Symantec

2017-01-24 Thread wwwww818
I was searching on crt.sh and I found something confusing by accident. View this page : https://crt.sh/?Identity=%25=7198 I can see many SHA-1 certificates issued in 2016 and one is issued in 2017. I think it was banned before so someone could tell me why they can issue these SHA-1 certificates?

Re: I found some SHA-1 certificates issued by Symantec

2017-01-24 Thread Rob Stradling
On 24/01/17 14:11, w...@gmail.com wrote: I was searching on crt.sh and I found something confusing by accident. View this page : https://crt.sh/?Identity=%25=7198 I can see many SHA-1 certificates issued in 2016 and one is issued in 2017. I think it was banned before so someone could tell me