----- Original Message ----- > From: "Kai Engert" <[email protected]> > To: "Hubert Kario" <[email protected]> > Cc: "Kathleen Wilson" <[email protected]>, > [email protected] > Sent: Tuesday, August 5, 2014 12:24:33 AM > Subject: Re: Removal of 1024 bit CA roots - interoperability > > Hubert, what's your conclusion of your analysis?
Sorry, looks like mailman ate the attachments. I'll summarise them below. Basically, the only sites that are severely affected are the ones that link up to the GTE CyberTrust Global Root, there are 88 such sites. Since we're already adding this root back, I won't be quoting this list here. The other 11 sites affected (with the CA's they link up to) are: [email protected] /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] [email protected] /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] [email protected] /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] [email protected] /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority [email protected] /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] [email protected] /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority [email protected] /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] [email protected] /C=CO/O=Sociedad Cameral de Certificaci\xC3\xB3n Digital - Certic\xC3\xA1mara S.A./CN=AC Ra\xC3\xADz Certic\xC3\xA1mara S.A. [email protected] /L=ValiCert Validation Network/O=ValiCert, Inc./OU=ValiCert Class 2 Policy Validation Authority/CN=http://www.valicert.com//[email protected] [email protected] /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority [email protected] /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority So it doesn't look like the removal of the roots (in the upcoming version) has large impact. If we look at sites which chains have gained the incomplete status, 113 of them link up the the Entrust.net roots and 16 of them link up to GTE CyberTrust roots (9 sites had incomplete chains and then became untrusted). So if we ship the new intermediate cert and the GTE root, only the above sites should be affected. -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Email: [email protected] Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
