On 25/03/2019 23:42, Wayne Thayer wrote: > My general sense is that we should be doing more to discourage the use of > SHA-1 rather than less. I've just filed an issue [1] to consider a ban on > SHA-1 S/MIME certificates in the future. > > On Mon, Mar 25, 2019 at 10:54 AM Jakob Bohm via dev-security-policy < > [email protected]> wrote: > >> >> As for myself and my company, we switched to a non-Symantec CA for these >> services before the general SHA-1 deprecation and thus the CA we use can >> continue to update relevant intermediary CAs using the exception to >> extend the lifetime of historic issuing CAs. However it would probably >> be more secure (less danger to users) if CAs routinely issued >> sequentially named new issuing CAs for these purposes at regular >> intervals (perhaps annually), however this is against current Mozilla >> Policy if the root is still in the Mozilla program (as an anchor for >> SHA2 WebPKI or e-mail certs). >> >> > I do acknowledge the legacy issue that Jakob points out, but given that it > hasn't come up before, I question if it is a problem that we need to > address. I would be interested to hear from others who have a need to issue > new SHA-1 subordinate CA certificates for uses beyond the scope of the BRs. > We could consider a loosening of the section 5.1.1 requirements on > intermediates, but I am concerned about creating loopholes and about > contradicting the BRs (which explicitly ban SHA-1 OCSP signing certificates > in section 7.1.3). > > - Wayne > > [1] https://github.com/mozilla/pkipolicy/issues/178 >
The situation has resurfaced due to recent developments affecting the original workarounds. I will have to remind everyone, that when SHA-1 was deprecated, Symantec handled this legacy issue by formally withdrawing a few of their many old (historically Microsoft trusted) roots from the Mozilla root program, allowing those roots to continue to run as "SHA-1-forever" roots completely beyond all "modern" policies. As Digicert winds down the legacy parts of Symantec operations, Windows developers that didn't leave Symantec early will be hunting for alternatives among the CAs whose SHA-1 roots were trusted by the affected MS software versions. A number of those CAs don't have such a stockpile of legacy roots that could be removed from the modern PKI ecosystem without affecting the validity of current SHA-2 certificates. For example GlobalSign, another large CA, only has one root trusted by legacy SHA-1 systems, their R1 root. That root is unfortunately also their forward compatibility root that provides trust to modern WebPKI certificates via cross-signing of later GlobalSign roots. This means that anything GlobalSign does in the SHA-1 compatibility space is constrained by CAB/F, CASC and Mozilla policies, such as the Mozilla restriction to not cut new issuing compatibility CAs and the CASC restriction to stop all SHA-1 code signing support in 2021. Creating new SHA-1-only roots (outside the modern PKI) for this job is not viable, as the roots need to be in the historic versions of the MS root store as bundled by affected systems. For some code, the roots even need to be among the few that got a special kernel mode cross-cert from Microsoft. Those legacy root stores were completely dominated by roots that were bought up by Symantec. Raw data: The full historic list of roots with kernel mode MS cross certs [Apologies if root transfers have sent some to different companies than indicated] Trusted until 2023 (in alphabetical order by brand): [GoDaddy] C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2 Certification Authority [GoDaddy] C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2 Certification Authority [Sectigo] C=SE, O=AddTrust AB, OU=AddTrust External TTP Network, CN=AddTrust External CA Root [Sectigo] C=US, ST=UT, L=Salt Lake City, O=The USERTRUST Network, OU=http://www.usertrust.com, CN=UTN-USERFirst-Object Trusted until 2021 Not Digicert/Symantec (in alphabetical order by brand): [EnTrust] O=Entrust.net, OU=www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Certification Authority (2048) [GlobalSign] C=BE, O=GlobalSign nv-sa, OU=Root CA, CN=GlobalSign Root CA [GoDaddy] C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., CN=Go Daddy Root Certificate Authority - G2 [GoDaddy] C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc., CN=Starfield Root Certificate Authority - G2 [NetLock] C=HU, L=Budapest, O=NetLock Kft., OU=Tanúsítványkiadók (Certification Services), CN=NetLock Arany (Class Gold) Főtanúsítvány [NetLock] C=HU, L=Budapest, O=NetLock Kft., OU=Tanúsítványkiadók (Certification Services), CN=NetLock Platina (Class Platinum) Főtanúsítvány [Quihoo] C=IL, O=StartCom Ltd., OU=Secure Digital Certificate Signing, CN=StartCom Certification Authority [SECOM] C=JP, O=SECOM Trust.net, OU=Security Communication RootCA1 [Sectigo] C=PL, O=Unizeto Technologies S.A., OU=Certum Certification Authority, CN=Certum Trusted Network CA Trusted until 2021 DigiCert/Symantec owned (in alphabetical order by brand) C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Assured ID Root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Global Root CA C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Asurance EV Root CA C=US, O=GeoTrust Inc., CN=GeoTrust Primary Certification Authority C=US, O=GeoTrust Inc., OU=(c) 2008 GeoTrust Inc. - For authorized use only, CN=GeoTrust Primary Certification Authority - G3 C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Class 2 CA, CN=TC TrustCenter Class 2 CA II C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2006 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA C=US, O=thawte, Inc., OU=Certification Services Division, OU=(c) 2008 thawte, Inc. - For authorized use only, CN=thawte Primary Root CA - G3 C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2006 VeriSign, Inc. - For authorized use only, CN=VeriSign Class 3 Public Primary Certification Authority - G5 C=US, O=VeriSign, Inc., OU=VeriSign Trust Network, OU=(c) 2008 VeriSign, Inc. - For authorized use only, CN=VeriSign Universal Root Certification Authority There was also a list of 6 CAs trusted until 2016 (Baltimore, Equifax 1024 bit, GlobalSign, GTE CyberTrust and two Symantec roots). Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
