On Fri, Jul 04, 2014 at 09:27:49AM -0400, Hubert Kario wrote: > The newly released NSS 3.16.3 doesn't include 1024 bit CA certificates > any more[1]. This will of course impact users of servers that still use > it. > > Interestingly, some intermediate CA certificates that were originally > signed by those 1024 bit CA certificates got cross signed using > different roots that will remain trusted[2]. In particular I mean the > "USERTrust Legacy Secure Server CA" certificate.
Not sure which certificte you mean with that. > Problem is, that some administrators haven't updated their servers > to provide the new intermediate certificate for 3 years. As such, > I don't think we can realistically expect all of them to update their > configuration now. > > While testing found just 217 sites as of 2014-05-30 that are > impacted by this change[2], it did test only top 200 000 > SSL enabled servers. I'd estimate the total number in Alexa top 1M > alone at over 373k. Moreover, some of those sites include sites that > are in the top 10000 sites, like groupon.my[3]. So loss of connectivity > to them may have bigger impact than the above quoted 217 could lead > us to believe. Using Rapid7's Solar data from 30 june 2014, I see those certificates that many times: 99a69be61afe886b4d2b82007cb854fc317e1539 11204 97817950d81c9670cc34d809cf794431367ef474 19815 e5df743cb601c49b9843dcab8ce86a81109fe48e 7 317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca6 89707 69bd8cf49cd300fb592e1793ca556af3ecaa35fb 116 > That's why I think that we should ship the intermediate CA certificates > to make Firefox continue to interoperate with such sites. Is it an option to instead ship the intermediate so that we find an alternative trust path? We might already pick up that alternative in most cases. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
