Ah sorry, I switched the fourth and sixth fingerprints. The sixth one (ae:c5:fb:3f:c8:e1:bf:c4:e5:4f:03:07:5a:9a:e8:00:b7:f7:b6:??) is unidentified.
On Mon, Nov 18, 2024 at 10:37 AM Matthew McPherrin <[email protected]> wrote: > > The fourth fingerprint > (e9:a8:5d:22:14:52:1c:5b:aa:0a:b4:be:24:6a:23:8a:c9:ba:e2) is also one > octet short, but I have been unable to identify what certificate it is > supposed to match. > > I think this should be > E9:A8:5D:22:14:52:1C:5B:AA:0A:B4:BE:24:6A:23:8A:C9:BA:E2:A9 - > E-Tugra Global Root CA RSA v3 > > > https://crt.sh/?q=E9%3AA8%3A5D%3A22%3A14%3A52%3A1C%3A5B%3AAA%3A0A%3AB4%3ABE%3A24%3A6A%3A23%3A8A%3AC9%3ABA%3AE2%3AA9 > > On Mon, Nov 18, 2024 at 12:25 PM 'Aaron Gable' via > [email protected] <[email protected]> wrote: > >> The certificate with >> fingerprint ff:bd:cd:e7:82:c8:43:5e:3c:6f:26:86:5c:ca:a8:3a:45:5b:c3:0a >> (the first one listed) is TrustCor RootCert CA-1 >> <https://crt.sh/?id=19392284>. You can see the email announcing >> Mozilla's decision to remove TrustCor from their trust store here >> <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/yLohoVqtCgAJ>. >> That email thread also contains most of the discussion and deliberation >> around why TrustCor was removed, as well as messages from the Microsoft and >> Chrome root programs announcing similar distrust decisions. >> >> The second fingerprint listed does not correspond to any known >> certificate, but that is because you have accidentally truncated it by one >> octet. I believe it was meant to >> be b8:be:6d:cb:56:f1:55:b9:63:d4:12:ca:4e:06:34:c7:94:b2:1c*:c0*, in >> which case it matches TrustCor RootCert CA-2 >> <https://crt.sh/?id=19392278>, which was distrusted at the same time as >> the above. >> >> The same goes for the third fingerprint. It should >> be 58:d1:df:95:95:67:6b:63:c0:f0:5b:1c:17:4d:8b:84:0b:c8:78*:bd*, for >> TrustCor >> ECA-1 <https://crt.sh/?id=19392274>, which was also removed at the same >> time as the above. >> >> The fourth fingerprint >> (e9:a8:5d:22:14:52:1c:5b:aa:0a:b4:be:24:6a:23:8a:c9:ba:e2) is also one >> octet short, but I have been unable to identify what certificate it is >> supposed to match. >> >> The certificate with >> fingerprint 8a:2f:af:57:53:b1:b0:e6:a1:04:ec:5b:6a:69:71:6d:f6:1c:e2:84 >> (the fifth one listed) is E-Tugra Global Root CA ECC v3 >> <https://crt.sh/?id=2605043398>. You can see the email announcing >> Mozilla's decision to remove E-Tugra from their trust store here >> <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/C-HrP1SEq1A/m/qDXcQu-hBAAJ> >> . >> >> The sixth fingerprint is also missing its final octet. It should be >> e9:a8:5d:22:14:52:1c:5b:aa:0a:b4:be:24:6a:23:8a:c9:ba:e2*:a9* to match >> E-Tugra >> Global Root CA RSA v3 <https://crt.sh/?id=2605037174>, which was removed >> from the trust store at the same time as the one above. >> >> Aaron >> >> On Mon, Nov 18, 2024 at 8:41 AM M THUG <[email protected]> wrote: >> >>> Dear Mozilla Firefox Team, >>> >>> I hope this message finds you well. >>> >>> I am writing to inquire about the removal of the following SSL/TLS >>> certificates from Firefox's trusted certificate store. These certificates >>> are identified by the following SHA1 fingerprints: >>> >>> SHA1 Fingerprint: >>> ff:bd:cd:e7:82:c8:43:5e:3c:6f:26:86:5c:ca:a8:3a:45:5b:c3:0a SHA1 >>> Fingerprint: b8:be:6d:cb:56:f1:55:b9:63:d4:12:ca:4e:06:34:c7:94:b2:1c SHA1 >>> Fingerprint: 58:d1:df:95:95:67:6b:63:c0:f0:5b:1c:17:4d:8b:84:0b:c8:78 SHA1 >>> Fingerprint: e9:a8:5d:22:14:52:1c:5b:aa:0a:b4:be:24:6a:23:8a:c9:ba:e2 SHA1 >>> Fingerprint: 8a:2f:af:57:53:b1:b0:e6:a1:04:ec:5b:6a:69:71:6d:f6:1c:e2:84 >>> SHA1 Fingerprint: ae:c5:fb:3f:c8:e1:bf:c4:e5:4f:03:07:5a:9a:e8:00:b7:f7:b6 >>> Could you kindly provide clarification as to why these specific >>> certificates were removed? Understanding the rationale behind this decision >>> will help us assess any potential impact on our systems and ensure that we >>> are adhering to the best practices for security. >>> >>> Thank you in advance for your attention to this matter. I look forward >>> to your response. >>> >>> Best regards, Vamsi >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "[email protected]" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To view this discussion visit >>> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ffb4ca11-594d-486b-8b55-2f95f0c3eef0n%40mozilla.org >>> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/ffb4ca11-594d-486b-8b55-2f95f0c3eef0n%40mozilla.org?utm_medium=email&utm_source=footer> >>> . >>> >> -- >> You received this message because you are subscribed to the Google Groups >> "[email protected]" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion visit >> https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErcrE5Fbd%2BSVA9-WTCPYQmgQV4sisMsKtBVOa-XN_%3DJYyw%40mail.gmail.com >> <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErcrE5Fbd%2BSVA9-WTCPYQmgQV4sisMsKtBVOa-XN_%3DJYyw%40mail.gmail.com?utm_medium=email&utm_source=footer> >> . >> > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAEmnErf6dagK%3D1Miz3Rg%3DCh3tc0HW-sEKCeYZVCxpk_zd7%3DzBw%40mail.gmail.com.
