On 16/11/2016 00:58, Kathleen Wilson wrote:
This request from Symantec is to only enable the Email trust bit for the
following 4 root certificates that will eventually replace the VeriSign-brand
class 1 and 2 root certs that are currently included in NSS.
1) Symantec Class 1 Public Primary Certification Authority - G6
2) Symantec Class 2 Public Primary Certification Authority - G6
3) Symantec Class 1 Public Primary Certification Authority - G4
4) Symantec Class 2 Public Primary Certification Authority - G4
The G6 root certs are SHA-256, and the G4 root certs are ECC.
If there are no objections or concerns about this request, then I will
recommend approval in the bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=833986
Thanks,
Kathleen
Practical note regarding that future replacement:
When deprecating CA certificates with the e-mail trust bit set, please
consider the common use case of reading an old e-mail or posting
in Mozilla Thunderbird, thus causing Thunderbird to verify a signature
made with a certificate likely to have both validity periods and
issuing CA consistent with its old date (as verified by the Received
date from the recipient's own mail server).
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
