Closed Bug 1156844 Opened 9 years ago Closed 8 years ago

Turn off Trust bits for Equifax Secure Certificate Authority 1024-bit root certificate

Categories

(CA Program :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: kwilson)

References

Details

(Keywords: dev-doc-needed, site-compat, Whiteboard: Trust bits turned off in NSS 3.21, planned for Firefox 44)

Attachments

(1 file)

Turn off the Websites and Code Signing trust bits for the "Equifax Secure Certificate Authority" 1024-bit root certificate.

We had turned off these trust bits in Bug #986019 and NSS 3.18
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18_release_notes

But re-enabled the trust bits in Bug #1155279 and NSS 3.18.1 
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes

So, this is a new bug to track creating a new plan for phasing out this 1024-bit root certificate.
Right now I suggest ~5 years after RapidSSL switched to a 2048-bit root (other GeoTrust certs switched even earlier), which put it at around the end of 2015 or the beginning of 2016. This is when the vast majority of such certificates should expire,
We are now planning to do this change in the September batch of root changes, which should go into Firefox 44. 
https://wiki.mozilla.org/RapidRelease/Calendar

Reasons: Symantec data indicates that most certs chaining up to this root expire in 2015; we (Mozilla) want to have more granular telemetry before making this change again; and I would like to avoid making a change like this in a release version of Firefox in the November-December shopping season.

Of course, if any security threat arises regarding this root certificate, we will take the necessary action earlier.
Whiteboard: Target Firefox 44
Kathleen: is there a bug for the "September batch of root changes"? If so, could you make this one depend on that one? Trunk becomes Firefox 44 today, I believe.

Richard: Have we managed to get that more granular telemetry that Kathleen mentioned in comment 2? 

Gerv
Flags: needinfo?(rlb)
Flags: needinfo?(kwilson)
We plan to include this change in the October batch of root changes, which will target Firefox 44. 

We have been making great progress in the areas of TLS-related telemetry and compatibility testing, so I am confident about making this change in Firefox 44.
Flags: needinfo?(rlb)
Flags: needinfo?(kwilson)
Depends on: 1214729
This bug is about:

OU = Equifax Secure Certificate Authority
SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
(In reply to Kai Engert (:kaie) from comment #5)
> This bug is about:
> 
> OU = Equifax Secure Certificate Authority
> SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A

Correct. Thanks!
I have checked the test build 
https://bugzilla.mozilla.org/show_bug.cgi?id=1214729#c2
and confirm that the websites and code signing trust bits are turned off for this root.
Only the Email trust bit remains enabled for this root.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: Target Firefox 44 → Trust bits turned off in NSS 3.21, planned for Firefox 44
(Noticed this bug linked on Sleevi's blog post[1])

I only have a sampled view of the Internet, but there doesn't seem to be many valid certificates that depend on this root. I count 28, in a database of ~1M certs. Half of them belong to avon.com, which apparently switched to geotrust on their main site.

Hope that helps...

[1] https://medium.com/@sleevi_/a-history-of-hard-choices-c1e1cc9bb089#.3iyh9ro7c
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: