542051 - Add SHA1 versions of "Thawte Server CA" and "Thawte Premium Server CA" roots

Status: RESOLVED WONTFIX

(CA Program :: CA Certificate Root Program, task)

Description

[Tony Berman]

User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; MS-RTC LM 8; InfoPath.1)
Build Identifier: 

Please include SHA1 versions of the "Thawte Server CA" and "Thawte Premium Server CA". The version of the root currently in the NSS root store uses MD5. We are replacing this with a rehashed version that uses SHA1. The new SHA-1 root has the same name and public key but a different serial number.

Reproducible: Always

Comment 1

[Tony Berman]

Attachment: SHA1 version of Thawte Server CA

Comment 2

[Tony Berman]

Attachment: Thawte Premium Sever CA SHA1 version

Comment 3

[Jo Hermans]

assuming that you're a colleague of Jay Schiavo (mentioned in other requests like bug 484903 and bug 409237), I'm moving this to the correct category.

Comment 4

[Kathleen Wilson]

Both of these roots are SHA1, 1024-bit.

I believe that the purpose of including these roots at this point in time would be to transition off of the equivalent MD5 roots that are currently in NSS.  However, it looks like we will be disabling MD5 via an NSS environment variable, so perhaps the certs under those MD5 roots don't need to be migrated to these Sha1 roots?

Also note that the root inclusion process takes about a year:
https://wiki.mozilla.org/CA:How_to_apply#Timeline
So these roots would likely get included after the cutoff date for CAs to stop issuing certs under 1024-bit roots.

Comment 5

[Kathleen Wilson]

Tony, Can this bug be closed?

Comment 6

[Kathleen Wilson]

We are no longer adding 1024-bit roots.