----- Original Message ----- > From: "Kurt Roeckx" <[email protected]> > To: "Hubert Kario" <[email protected]> > Cc: [email protected] > Sent: Friday, July 4, 2014 7:23:08 PM > Subject: Re: Removal of 1024 bit CA roots - interoperability > > On Fri, Jul 04, 2014 at 09:27:49AM -0400, Hubert Kario wrote: > > Interestingly, some intermediate CA certificates that were originally > > signed by those 1024 bit CA certificates got cross signed using > > different roots that will remain trusted[2]. In particular I mean the > > "USERTrust Legacy Secure Server CA" certificate. > > Not sure which certificte you mean with that.
SHA1: 4a7edf9daa8955f800f8276ec70e9c44267416c7 the one referenced in Comment 19 in BZ#936304. But I have checked just this one root CA, that's why I was saying that there may be more. > > That's why I think that we should ship the intermediate CA certificates > > to make Firefox continue to interoperate with such sites. > > Is it an option to instead ship the intermediate so that we find > an alternative trust path? We might already pick up that > alternative in most cases. that's what I had in mind, not to explicitly trust it, but to have it "precached". So that FF behaves in the same way as if I already visited some different site that uses this intermediate CA and properly presents it to the clients. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: [email protected] Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
