On 15/12/2015 03:34, Andrew Ayer wrote:
On Sat, 12 Dec 2015 16:56:04 -0800
Yuhong Bao <[email protected]> wrote:
I think this and most of the other 1024-bit roots was removed or
restricted to email in Mozilla some time ago (last remaining one is
Equifax). They had been consider obsolete for a long time.
Indeed, the Verisign Class 3 Public Primary Certification Authority is
currently email-only. I'm curious if there's any reason the email
trust bit should not be removed as well, considering that Symantec's
announcement[1] only lists TLS and code signing as the uses of this
root.
Thanks,
Andrew
[1]
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941&actp=LIST&viewlocale=en_US
Please note that while someone in this group successfully lobbied to
remove the "code-signing" trust bits across the board, the Mozilla CA
list is still one of the primary sources of general CA lists in open
source projects that don't have the clout to maintain ongoing close
contractual relationships with the CAs. And those other projects have
not made the mistake of replacing the code signing bit by a closed
garden god key of their own.
Thus one must also consider the code signing usage before removing a
certificate. And in the code signing world, one major software vendor
is consistently refusing to patch its software to accept modern
signature algorithms, thus forcing SHA-1 code signing certificates to
remain in use for the foreseeable future.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
