Luckily, you caught me just as I was about to apply the patch. With 10.6.1, I have a cert with that name/date with a SHA1 fingerprint of:
95 E6 AD F8 D7 71 46 02 4D D5 6A 21 B2 E7 3F CD F2 3B 35 FF After the upgrade, that cert doesn't exist. I've got one called "StartCom Class 3 Primary Email Free CA" with expiration of 4/4/10, and a fingerprint of: CF 01 DC 25 90 C9 55 C1 8D 76 5A 34 38 F7 37 F1 EB 3B BB 71 However, that cert is marked as "This certificate was signed by an unknown authority". On 11/11/09 7:17 AM, "Peter Saint-Andre" <stpe...@stpeter.im> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 11/11/09 5:27 AM, Peter Saint-Andre wrote: >> On 11/10/09 10:55 PM, Zachary West wrote: >>> Is the certificate chain missing a link to the root, or is its root CA >>> suddenly untrusted on Snow Leopard? >> >> I'm looking into this with folks from StartCom. There have, over time, >> been two StartCom roots. Certificates issued by the XMPP ICA (which is >> no longer issuing certificates, because now they are being issued >> directly by StartCom) were issued under the old root. So it seems to me >> that perhaps Apple removed the old root from their cert store before all >> the certificates issued under that root had expired. I'll follow up with >> StartCom about this and report back. > > Further research indicates that this is a problem only on Snow Leopard > (I just installed the latest security update on Leopard and the old root > is still in the keychain). > > Could someone do me a favor and look in their keychain on Snow Leopard > to verify that a root for "Free SSL Certification Authority" is or is > not in the system roots? (Click to inspect the cert and it will mention > StartCom -- the old root expires on March 11, 2035.) > > Thanks! > > Peter > > - -- > Peter Saint-Andre > https://stpeter.im/ > > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.8 (Darwin) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkr55mwACgkQNL8k5A2w/vzb+gCfdmHbCrTS2Ukn/gJD4sCc3UgR > aO8An1/8lEKP5JUOB/EpgiG9DO0SPvQP > =KZuZ > -----END PGP SIGNATURE----- > -- Joe Hildebrand
