----- Original Message ----- > From: "Kathleen Wilson" <[email protected]> > To: [email protected] > Sent: Saturday, 26 July, 2014 12:11:11 AM > Subject: Re: Removal of 1024 bit CA roots - interoperability > > On 7/4/14, 6:27 AM, Hubert Kario wrote: > > The newly released NSS 3.16.3 doesn't include 1024 bit CA certificates > > any more[1]. This will of course impact users of servers that still use > > it. > <snip> > > That's why I think that we should ship the intermediate CA certificates > > to make Firefox continue to interoperate with such sites. > > == Possible Solution == > One possible way to help mitigate the pain of migration from an old root > is to directly include the cross-signed intermediate certificate that > chains up to the new root in NSS for 1 or 2 years. <snip> > This does not mean that we would begin including intermediate certs upon > request. We would only consider using this approach as a way to provide > a smoother transition when we remove a root certificate. Mozilla would > determine when it is necessary to include an intermediate certificate > for the purpose of removing a root certificate.
Thank you for looking into this > == For this batch of root changes == > > We are still investigating if we should use this possible solution for > this batch of root changes. Please stay tuned and continue to share data > and test results that should be considered. I did perform a scan of the Alexa Top 1 million the week before this, unfortunately I didn't have the time to write a script to perform analysis of this data yet. I'll try to do this this week. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: [email protected] Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
