On 10/27/14, 2:05 PM, Kathleen Wilson wrote:
On 10/24/14, 4:24 PM, Daniel Roesler wrote:
Howdy all,
I'm trying to understand the trust flags in the root CA list[1].
According to Bug #605187[2] , the AOL root cert[3] should be removed.
However, it is still in the list and all the flags on it appear to the
be the same as the DigiCert EV cert[4], which is the root cert used by
mxr.mozilla.org itself.
Does this mean that AOL's root cert is still enabled? Where am I
missing the trust bits?
Apologies for the naive questions,
-Daniel
[1] -
https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt
[2] - https://bugzilla.mozilla.org/show_bug.cgi?id=605187
[3] -
https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt#4605
[4] -
https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt#9627
When you look at certdata.txt, be sure to look at the CN and Fingerprint
for each cert.
As per
https://bugzilla.mozilla.org/show_bug.cgi?id=605187
these root certs were removed:
CN = AOL Time Warner Root Certification Authority 1
OU = America Online Inc.
O = AOL Time Warner Inc.
SHA1 Fingerpint:
74:54:53:5C:24:A3:A7:58:20:7E:3E:3E:D3:24:F8:16:FB:21:16:49
and
CN = AOL Time Warner Root Certification Authority 2
OU = America Online Inc.
O = AOL Time Warner Inc.
SHA1 Fingerprint:
FC:21:9A:76:11:2F:76:C1:C5:08:83:3C:9A:2F:A2:BA:84:AC:08:7A
However, AOL has different root certs that are still included.
The AOL certs that are still included are:
CN = America Online Root Certification Authority 1
O = America Online Inc.
C = US
SHA1 Fingerprint:
39:21:C1:15:C1:5D:0E:CA:5C:CB:5B:C4:F0:7D:21:D8:05:0B:56:6A
and
CN = America Online Root Certification Authority 2
O = America Online Inc.
C = US
SHA1 Fingerprint:
85:B5:FF:67:9B:0C:79:96:1F:C8:6E:44:22:00:46:13:DB:17:92:84
Hope that helps.
Kathleen
I should clarify that the two remaining AOL root certs are also going to
be removed per https://bugzilla.mozilla.org/show_bug.cgi?id=1083294
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
