On Tue, Jan 24, 2017 at 11:08 AM, Peter Bowen <pzbo...@gmail.com> wrote:
> On Tue, Jan 24, 2017 at 8:00 AM, Richard Barnes <rbar...@mozilla.com> > wrote: > > On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham <g...@mozilla.org> > wrote: > >> > >> This helpful spreadsheet shows that they were removed in Firefox 47 and > >> 51 respectively: > >> https://mozillacaprogram.secure.force.com/CA/RemovedCACertificateReport > >> Although Firefox 51 was only released yesterday, so that's a bit > >> concerning. > >> > > > > Indeed, if they issued these before yesterday, this seems like a problem. > > I'm a little surprised to read this. This SHA-1 "private" hierarchy > is not new news and has been discussed in various forums over the year > or 18 months. At least one other CA operator has a similar hierarchy > that is chained back to a root formerly in the Mozilla trust store. > > I was under the impression Mozilla knew about this from the SHA-1 > exceptions discussions, as one of the topics there has been "why can't > they use the SHA-1 certs from the pulled roots?" > If the root was removed in Firefox 51, and they were issuing SHA-1 off of it before 51 shipped, then they were issuing SHA-1 certificates under a root trusted by Firefox. You can use SHA-1 under a pulled root, but it has to actually be pulled first. --Richard > > Thanks, > Peter > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy