On 24/01/17 15:48, Gervase Markham wrote:
> That's because it chains up to the following two roots:
>
> 1) OU=Class 3 Public Primary Certification Authority
> https://crt.sh/?caid=25
This root had its SSL bits disabled around June 2014:
https://bugzilla.mozilla.org/show_bug.cgi?id=986005
https://
ozilla.org; Rob Stradling
; Gervase Markham ;
w...@gmail.com
Subject: Re: I found some SHA-1 certificates issued by Symantec
On Tue, Jan 24, 2017 at 11:08 AM, Peter Bowen wrote:
> On Tue, Jan 24, 2017 at 8:00 AM, Richard Barnes
> wrote:
> > On Tue, Jan 24, 2017 at 10:48 A
On 24/01/17 16:19, Rob Stradling wrote:
On 24/01/17 16:11, Richard Barnes wrote:
If the root was removed in Firefox 51, and they were issuing SHA-1 off
of it before 51 shipped, then they were issuing SHA-1 certificates under
a root trusted by Firefox.
You can use SHA-1 under a pulled root, but
On 24/01/17 16:08, Peter Bowen wrote:
>> Indeed, if they issued these before yesterday, this seems like a problem.
>
> I'm a little surprised to read this. This SHA-1 "private" hierarchy
> is not new news and has been discussed in various forums over the year
> or 18 months. At least one other CA
On 24/01/17 16:11, Richard Barnes wrote:
If the root was removed in Firefox 51, and they were issuing SHA-1 off
of it before 51 shipped, then they were issuing SHA-1 certificates under
a root trusted by Firefox.
You can use SHA-1 under a pulled root, but it has to actually be pulled
first.
I
On Tue, Jan 24, 2017 at 11:08 AM, Peter Bowen wrote:
> On Tue, Jan 24, 2017 at 8:00 AM, Richard Barnes
> wrote:
> > On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham
> wrote:
> >>
> >> This helpful spreadsheet shows that they were removed in Firefox 47 and
> >> 51 respectively:
> >> https://moz
On Tue, Jan 24, 2017 at 8:00 AM, Richard Barnes wrote:
> On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham wrote:
>>
>> This helpful spreadsheet shows that they were removed in Firefox 47 and
>> 51 respectively:
>> https://mozillacaprogram.secure.force.com/CA/RemovedCACertificateReport
>> Althoug
On 24/01/17 16:00, Richard Barnes wrote:
> Except of course the non-zero slice of users that haven't updated yet.
True, although I think it's unreasonable to give CAs a dependency on the
quality of our automatic update infrastructure. We can have a discussion
about whether "checked into master" or
On Tue, Jan 24, 2017 at 10:48 AM, Gervase Markham wrote:
> On 24/01/17 14:11, w...@gmail.com wrote:
> > I was searching on crt.sh and I found something confusing by accident.
> > View this page : https://crt.sh/?Identity=%25&iCAID=7198
> > I can see many SHA-1 certificates issued in 2016 and
On 24/01/17 15:48, Gervase Markham wrote:
Rob: is the "Trusted by Mozilla" stuff based on the root store on
Mozilla's master branch?
Hi Gerv. Yes, I aim to keep crt.sh's view of "Trusted by Mozilla" in
sync with mozilla-central [1]. [1] was last updated a few days ago, and
I pushed the cha
On 24/01/17 14:11, w...@gmail.com wrote:
> I was searching on crt.sh and I found something confusing by accident.
> View this page : https://crt.sh/?Identity=%25&iCAID=7198
> I can see many SHA-1 certificates issued in 2016 and one is issued in 2017.
Your list is a list of certificates issued
On 24/01/17 14:11, w...@gmail.com wrote:
I was searching on crt.sh and I found something confusing by accident.
View this page : https://crt.sh/?Identity=%25&iCAID=7198
I can see many SHA-1 certificates issued in 2016 and one is issued in 2017.
I think it was banned before so someone could te
12 matches
Mail list logo