On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham <[email protected]> wrote:
> On 24/01/17 14:11, [email protected] wrote: > > I was searching on crt.sh and I found something confusing by accident. > > View this page : https://crt.sh/?Identity=%25&iCAID=7198 > > I can see many SHA-1 certificates issued in 2016 and one is issued in > 2017. > > Your list is a list of certificates issued by "C=US, O=Symantec > Corporation, CN=Symantec Private SSL SHA1 CA". If you view the page > about that CA, you will see that it is not trusted by Mozilla: > https://crt.sh/?caid=7198 > > That's because it chains up to the following two roots: > > 1) OU=Class 3 Public Primary Certification Authority > https://crt.sh/?caid=25 > > 2) OU=Class 3 Public Primary Certification Authority - G2 > https://crt.sh/?caid=963 > > This helpful spreadsheet shows that they were removed in Firefox 47 and > 51 respectively: > https://mozillacaprogram.secure.force.com/CA/RemovedCACertificateReport > Although Firefox 51 was only released yesterday, so that's a bit > concerning. > Indeed, if they issued these before yesterday, this seems like a problem. > > Rob: is the "Trusted by Mozilla" stuff based on the root store on > Mozilla's master branch? > > Symantec representatives: was this "Private" SHA-1-issuing CA supposed > to chain up to roots trusted by Mozilla until very recently? > > > I think it was banned before so someone could tell me why they can issue > these SHA-1 certificates? > > SHA-1 certificate issued in 2017 : https://crt.sh/?id=71625342 > > What makes you think that certificate was issued in 2017? > > Validity > Not Before: Jul 7 00:00:00 2016 GMT > Not After : Dec 31 23:59:59 2017 GMT > > However, I do see this one issued in 2017: > https://crt.sh/?id=77777847 > > Symantec reps? Is the idea that this is OK because no browser trusts > this part of your PKI any more? > Except of course the non-zero slice of users that haven't updated yet. --Richard > > Gerv > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
