On Tue, Jan 24, 2017 at 8:00 AM, Richard Barnes <[email protected]> wrote: > On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham <[email protected]> wrote: >> >> This helpful spreadsheet shows that they were removed in Firefox 47 and >> 51 respectively: >> https://mozillacaprogram.secure.force.com/CA/RemovedCACertificateReport >> Although Firefox 51 was only released yesterday, so that's a bit >> concerning. >> > > Indeed, if they issued these before yesterday, this seems like a problem.
I'm a little surprised to read this. This SHA-1 "private" hierarchy is not new news and has been discussed in various forums over the year or 18 months. At least one other CA operator has a similar hierarchy that is chained back to a root formerly in the Mozilla trust store. I was under the impression Mozilla knew about this from the SHA-1 exceptions discussions, as one of the topics there has been "why can't they use the SHA-1 certs from the pulled roots?" Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
