On 03/11/2016 18:53, Gervase Markham wrote:
On 28/10/16 16:11, Patrick Figel wrote:
I found a number of SHA-1 certificates chaining up to CAs trusted by
Mozilla that have not been brought up on this list or on Bugzilla yet.
Using the handy crt.sh link posted by Rob, I have gone through the 2016
SHA-1 issuances known to crt.sh to filter out those which chain up to a
root trusted by Mozilla. (Handily, crt.sh contains this information as
well.) There are a distressingly large number of them :-(
...
and based on this additional research, I have filed:
...
https://bugzilla.mozilla.org/show_bug.cgi?id=1315018 (GlobalSign)
Note that the GlobalSign SHA-1 intermediaries chain only to their old
SHA-1 root which is (I believe) not used for any SHA-256 certs, except
a cross-cert that signs their current SHA-256 root.
The recent "revocation runaway" incident was caused by GlobalSign
revoking the cross signing of their old SHA-1 root by their current
SHA-256 root.
So I suspect the intent of GlobalSign is that the old SHA-1 root should
loose its ServerAuth trust bit around 2017-01-01, reducing it to a
SHA-1-forever root trusted only by old SHA-1-only systems and maybe for
e-mail (because some non-Mozilla e-mail clients were very late to
supporting SHA-2 e-mail signatures).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
