On 24/01/17 16:08, Peter Bowen wrote: >> Indeed, if they issued these before yesterday, this seems like a problem. > > I'm a little surprised to read this. This SHA-1 "private" hierarchy > is not new news and has been discussed in various forums over the year > or 18 months. At least one other CA operator has a similar hierarchy > that is chained back to a root formerly in the Mozilla trust store. > > I was under the impression Mozilla knew about this from the SHA-1 > exceptions discussions, as one of the topics there has been "why can't > they use the SHA-1 certs from the pulled roots?"
We pulled a bunch of roots in December 2015, including some from Symantec. This is the Firefox 42 - 44 timeframe (44 was January, but I can accept perhaps we took some time to get the job done). So of the Symantec roots, that would be: VeriSign Class 4 Public Primary Certification Authority - G3 UTN-USERFirst-Network Applications There's also, of course Thawte Server CA and Thawte Premium Server CA, pulled in Firefox 36, and some TC TrustCenter roots as well. I had assumed that when people talked about "pulled roots", they were talking about roots which actually had been pulled. I did not expect to see a SHA-1 hierarchy cross-signed by a root still trusted by Firefox until yesterday. Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
