Closed
Bug 1156844
Opened 9 years ago
Closed 8 years ago
Turn off Trust bits for Equifax Secure Certificate Authority 1024-bit root certificate
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kwilson, Assigned: kwilson)
References
Details
(Keywords: dev-doc-needed, site-compat, Whiteboard: Trust bits turned off in NSS 3.21, planned for Firefox 44)
Attachments
(1 file)
5.91 KB,
text/plain
|
Details |
Turn off the Websites and Code Signing trust bits for the "Equifax Secure Certificate Authority" 1024-bit root certificate. We had turned off these trust bits in Bug #986019 and NSS 3.18 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18_release_notes But re-enabled the trust bits in Bug #1155279 and NSS 3.18.1 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes So, this is a new bug to track creating a new plan for phasing out this 1024-bit root certificate.
Comment 1•9 years ago
|
||
Right now I suggest ~5 years after RapidSSL switched to a 2048-bit root (other GeoTrust certs switched even earlier), which put it at around the end of 2015 or the beginning of 2016. This is when the vast majority of such certificates should expire,
Assignee | ||
Comment 2•9 years ago
|
||
We are now planning to do this change in the September batch of root changes, which should go into Firefox 44. https://wiki.mozilla.org/RapidRelease/Calendar Reasons: Symantec data indicates that most certs chaining up to this root expire in 2015; we (Mozilla) want to have more granular telemetry before making this change again; and I would like to avoid making a change like this in a release version of Firefox in the November-December shopping season. Of course, if any security threat arises regarding this root certificate, we will take the necessary action earlier.
Whiteboard: Target Firefox 44
Comment 3•9 years ago
|
||
Kathleen: is there a bug for the "September batch of root changes"? If so, could you make this one depend on that one? Trunk becomes Firefox 44 today, I believe. Richard: Have we managed to get that more granular telemetry that Kathleen mentioned in comment 2? Gerv
Flags: needinfo?(rlb)
Flags: needinfo?(kwilson)
Assignee | ||
Comment 4•9 years ago
|
||
We plan to include this change in the October batch of root changes, which will target Firefox 44. We have been making great progress in the areas of TLS-related telemetry and compatibility testing, so I am confident about making this change in Firefox 44.
Flags: needinfo?(rlb)
Flags: needinfo?(kwilson)
Updated•9 years ago
|
Keywords: dev-doc-needed,
site-compat
Comment 5•9 years ago
|
||
This bug is about: OU = Equifax Secure Certificate Authority SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
Assignee | ||
Comment 6•9 years ago
|
||
(In reply to Kai Engert (:kaie) from comment #5) > This bug is about: > > OU = Equifax Secure Certificate Authority > SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A Correct. Thanks!
Assignee | ||
Comment 7•9 years ago
|
||
I have checked the test build https://bugzilla.mozilla.org/show_bug.cgi?id=1214729#c2 and confirm that the websites and code signing trust bits are turned off for this root. Only the Email trust bit remains enabled for this root.
Assignee | ||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: Target Firefox 44 → Trust bits turned off in NSS 3.21, planned for Firefox 44
Comment 8•8 years ago
|
||
(Noticed this bug linked on Sleevi's blog post[1]) I only have a sampled view of the Internet, but there doesn't seem to be many valid certificates that depend on this root. I count 28, in a database of ~1M certs. Half of them belong to avon.com, which apparently switched to geotrust on their main site. Hope that helps... [1] https://medium.com/@sleevi_/a-history-of-hard-choices-c1e1cc9bb089#.3iyh9ro7c
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•1 year ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•