On 24/01/17 16:11, Richard Barnes wrote:
<snip>
If the root was removed in Firefox 51, and they were issuing SHA-1 off
of it before 51 shipped, then they were issuing SHA-1 certificates under
a root trusted by Firefox.
You can use SHA-1 under a pulled root, but it has to actually be pulled
first.
I think the "Class 3 Public Primary Certification Authority"
(https://crt.sh/?id=162) was already "pulled".
It may only have been removed completely in FF51, but it looks like it
had the Websites trust bit disabled some time ago:
https://bugzilla.mozilla.org/show_bug.cgi?id=936105
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
