On 24/01/17 16:19, Rob Stradling wrote:
On 24/01/17 16:11, Richard Barnes wrote:
<snip>
If the root was removed in Firefox 51, and they were issuing SHA-1 off
of it before 51 shipped, then they were issuing SHA-1 certificates under
a root trusted by Firefox.
You can use SHA-1 under a pulled root, but it has to actually be pulled
first.
I think the "Class 3 Public Primary Certification Authority"
(https://crt.sh/?id=162) was already "pulled".
It may only have been removed completely in FF51, but it looks like it
had the Websites trust bit disabled some time ago:
https://bugzilla.mozilla.org/show_bug.cgi?id=936105
Yeah, https://crt.sh/?id=162 lost the Websites trust bit in NSS 3.16.3,
the release of which was announced to m.d.s.crypto on 3rd July 2014.
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.3_release_notes
"The Trust Bits were changed for the following CA certificates
...
OU = Class 3 Public Primary Certification Authority
SHA1 Fingerprint:
74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
Turned off websites and code signing trust bits (1024-bit root)"
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
