On 24/01/17 14:11, [email protected] wrote: > I was searching on crt.sh and I found something confusing by accident. > View this page : https://crt.sh/?Identity=%25&iCAID=7198 > I can see many SHA-1 certificates issued in 2016 and one is issued in 2017.
Your list is a list of certificates issued by "C=US, O=Symantec Corporation, CN=Symantec Private SSL SHA1 CA". If you view the page about that CA, you will see that it is not trusted by Mozilla: https://crt.sh/?caid=7198 That's because it chains up to the following two roots: 1) OU=Class 3 Public Primary Certification Authority https://crt.sh/?caid=25 2) OU=Class 3 Public Primary Certification Authority - G2 https://crt.sh/?caid=963 This helpful spreadsheet shows that they were removed in Firefox 47 and 51 respectively: https://mozillacaprogram.secure.force.com/CA/RemovedCACertificateReport Although Firefox 51 was only released yesterday, so that's a bit concerning. Rob: is the "Trusted by Mozilla" stuff based on the root store on Mozilla's master branch? Symantec representatives: was this "Private" SHA-1-issuing CA supposed to chain up to roots trusted by Mozilla until very recently? > I think it was banned before so someone could tell me why they can issue > these SHA-1 certificates? > SHA-1 certificate issued in 2017 : https://crt.sh/?id=71625342 What makes you think that certificate was issued in 2017? Validity Not Before: Jul 7 00:00:00 2016 GMT Not After : Dec 31 23:59:59 2017 GMT However, I do see this one issued in 2017: https://crt.sh/?id=77777847 Symantec reps? Is the idea that this is OK because no browser trusts this part of your PKI any more? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
