Closed
Bug 1138086
Opened 11 years ago
Closed 9 years ago
Root cleanup to remove or turn off trust bits on legacy Root CAs and non-trusted CAs
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: osman, Assigned: kathleen.a.wilson)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/40.0.2214.115 Safari/537.36
Steps to reproduce:
In accordance with Mozilla CA Certificate Maintenance Policy (Version 2.2), I propose the following changes to the NSS Root CA database:
######################
Turn off all trust bits on the following CAs:
O= NetLock Ltd.
CN= NetLock Kozjegyzoi (Class A) Tanusitvanykiado
SHA1= AC:ED:5F:65:53:FD:25:CE:01:5F:1F:7A:48:3B:6A:74:9F:61:78:C6
Reason= Signature algorithm is MD5
O= IdenTrust
CN= Digital Signature Trust Co. Global CA 1
SHA1= 81:96:8B:3A:EF:1C:DC:70:F5:FA:32:69:C2:92:A3:63:5B:D1:23:D3
Reason= Small key length (<2048 Bit)
O= Symantec / GeoTrust
CN= Equifax Secure Global eBusiness CA-1
SHA1= 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45
Reason= The long-lived certs should have expired or are close to expiring.
O= Symantec / GeoTrust
CN= Equifax Secure CA
SHA1= D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
Reason= Small key length (<2048 Bit) and long-lived certs should have expired or are close to expiring.
O= Symantec / VeriSign
CN= VeriSign Class 1 Public PCA
SHA1= CE:6A:64:A3:09:E4:2F:BB:D9:85:1C:45:3E:64:09:EA:E8:7D:60:F1
Reason= Small key length (<2048 Bit)
O= Symantec / VeriSign
CN= VeriSign Class 1 Public PCA – G2
SHA1= 27:3E:E1:24:57:FD:C4:F9:0C:55:E8:2B:56:16:7F:62:F5:32:E5:47
Reason= Small key length (<2048 Bit)
O= Symantec / VeriSign
CN= VeriSign Class 2 Public PCA – G2
SHA1= B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
Reason= Small key length (<2048 Bit) and long-lived certs should have expired or are close to expiring.
######################
Remove the following Root CAs:
O= NetLock Ltd.
CN= NetLock Expressz (Class C) Tanusitvanykiado
SHA1= E3:92:51:2F:0A:CF:F5:05:DF:F6:DE:06:7F:75:37:E1:65:EA:57:4B
Reason= Small key length (<2048), MD5 signature algorithm, and trust bits have been turned off for a period of time and the certificate should be removed to protect against software that doesn't properly check trust bits.
O= NetLock Ltd.
CN= NetLock Uzleti (Class B) Tanusitvanykiado
SHA1= 87:9F:4B:EE:05:DF:98:58:3B:E3:60:D6:33:E7:0D:3F:FE:98:71:AF
Reason= Small key length (<2048), MD5 signature algorithm, and trust bits have been turned off for a period of time and the certificate should be removed to protect against software that doesn't properly check trust bits.
O= Symantec / GeoTrust
CN= Equifax Secure eBusiness CA-1
SHA1= DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41
Reason= Small key length (<2048), MD5 signature algorithm, and trust bits have been turned off for a period of time and the certificate should be removed to protect against software that doesn't properly check trust bits.
O= Symantec / VeriSign
CN= VeriSign Class 3 Public PCA
SHA1= 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
Reason= Small key length (<2048), MD2 signature algorithm, and trust bits have been turned off for a period of time and the certificate should be removed to protect against software that doesn't properly check trust bits.
O= Symantec / VeriSign
CN= VeriSign Class 3 Public PCA
SHA1= A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B
Reason= Small key length (<2048), MD5 signature algorithm, and trust bits have been turned off for a period of time and the certificate should be removed to protect against software that doesn't properly check trust bits.
O= Symantec / VeriSign
CN= VeriSign Class 3 Public PCA – G2
SHA1= 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F
Reason= Small key length (<2048), MD5 signature algorithm, and trust bits have been turned off for a period of time and the certificate should be removed to protect against software that doesn't properly check trust bits.
|
Assignee | |
Comment 1•11 years ago
|
||
A few comments about this bug.
The signature algorithm of the root cert does not matter, because the signatures of root certificates are not validated (roots are self-signed).
I will contact the NetLock CA to see which of their roots are ready to be removed. They have been migrating customers off of their old roots, and just waiting for previously issued certs to expire.
Turning off the websites and code signing trust bits for the Equifax roots is being handled in Bug #986019.
Some 1024-bit roots are remaining in NSS with only the email (S/MIME) trust bit enabled. This is due to the large number of users still using certs chaining to those roots. Of course, the websites and code signing trust bits are being turned off (or have been turned off) for the 1024-bit roots.
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS#CA_certificates_pre-loaded_into_NSS
Consumers of this list must consider the trust bit setting for each included root certificate...
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
|
|
Assignee | |
Comment 2•11 years ago
|
||
(In reply to Kathleen Wilson from comment #1)
> I will contact the NetLock CA to see which of their roots are ready to be
> removed. They have been migrating customers off of their old roots, and just
> waiting for previously issued certs to expire.
Response from NetLock:
The following can be removed, if it is possible at december 31st 2015:
- NetLock Kozjegyzoi (Class A) Tanusitvanykiado
- NetLock Uzleti (Class B) Tanusitvanykiado
- NetLock Expressz (Class C) Tanusitvanykiado
- NetLock Minositett Kozjegyzoi (Class QA) Tanusitvanykiado
Thank you for the update on NetLock. I can't wait until this cruft is gone. :)
2015-12-31 is coming up and I'm hoping NetLock is still on target to expire their old cruft. Any updates on that? I don't see a particular Bugzilla report on that particular issue.
|
|
Assignee | |
Comment 5•10 years ago
|
||
Bug #1229885 addresses the removal of these NetLock roots. It will be picked up in the next batch of root changes.
|
|
Assignee | |
Comment 7•10 years ago
|
||
By the way, I added a wiki page: https://wiki.mozilla.org/CA:RemovedCAcerts
It has these two links:
1) Removed Certs Spreadsheet**: https://mozillacaprogram.secure.force.com/CA/RemovedCACertificateReport
2) Upcoming Root Cert Removals: https://mozillacaprogram.secure.force.com/CA/UpcomingRootRemovalsReport
** Important Caveat: The Removed Certs Spreadsheet currently only lists the cert removals that have happened since September 2014, which is when we began using Salesforce to maintain the root store data.
|
|
Assignee | |
Comment 8•9 years ago
|
||
All of the root certs listed in this bug have been removed.
See:
https://wiki.mozilla.org/CA:RemovedCAcerts
https://wiki.mozilla.org/CA:IncludedCAs
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
||
Updated•9 years ago
|
Product: mozilla.org → NSS
|
||
Updated•3 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•