Turn off Trust bits for Equifax Secure Certificate Authority 1024-bit root certificate

RESOLVED FIXED

Status

RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: kwilson, Assigned: kwilson)

Tracking

({dev-doc-needed, site-compat})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: Trust bits turned off in NSS 3.21, planned for Firefox 44)

Attachments

(1 attachment)

(Assignee)

Description

4 years ago
Turn off the Websites and Code Signing trust bits for the "Equifax Secure Certificate Authority" 1024-bit root certificate.

We had turned off these trust bits in Bug #986019 and NSS 3.18
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18_release_notes

But re-enabled the trust bits in Bug #1155279 and NSS 3.18.1 
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes

So, this is a new bug to track creating a new plan for phasing out this 1024-bit root certificate.

Comment 1

4 years ago
Right now I suggest ~5 years after RapidSSL switched to a 2048-bit root (other GeoTrust certs switched even earlier), which put it at around the end of 2015 or the beginning of 2016. This is when the vast majority of such certificates should expire,
(Assignee)

Comment 2

4 years ago
We are now planning to do this change in the September batch of root changes, which should go into Firefox 44. 
https://wiki.mozilla.org/RapidRelease/Calendar

Reasons: Symantec data indicates that most certs chaining up to this root expire in 2015; we (Mozilla) want to have more granular telemetry before making this change again; and I would like to avoid making a change like this in a release version of Firefox in the November-December shopping season.

Of course, if any security threat arises regarding this root certificate, we will take the necessary action earlier.
Whiteboard: Target Firefox 44
Kathleen: is there a bug for the "September batch of root changes"? If so, could you make this one depend on that one? Trunk becomes Firefox 44 today, I believe.

Richard: Have we managed to get that more granular telemetry that Kathleen mentioned in comment 2? 

Gerv
Flags: needinfo?(rlb)
Flags: needinfo?(kwilson)
(Assignee)

Comment 4

4 years ago
We plan to include this change in the October batch of root changes, which will target Firefox 44. 

We have been making great progress in the areas of TLS-related telemetry and compatibility testing, so I am confident about making this change in Firefox 44.
Flags: needinfo?(rlb)
Flags: needinfo?(kwilson)
Keywords: dev-doc-needed, site-compat

Updated

4 years ago
Depends on: 1214729
This bug is about:

OU = Equifax Secure Certificate Authority
SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
(Assignee)

Comment 6

4 years ago
(In reply to Kai Engert (:kaie) from comment #5)
> This bug is about:
> 
> OU = Equifax Secure Certificate Authority
> SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A

Correct. Thanks!
(Assignee)

Comment 7

4 years ago
I have checked the test build 
https://bugzilla.mozilla.org/show_bug.cgi?id=1214729#c2
and confirm that the websites and code signing trust bits are turned off for this root.
Only the Email trust bit remains enabled for this root.
(Assignee)

Updated

3 years ago
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Whiteboard: Target Firefox 44 → Trust bits turned off in NSS 3.21, planned for Firefox 44
(Noticed this bug linked on Sleevi's blog post[1])

I only have a sampled view of the Internet, but there doesn't seem to be many valid certificates that depend on this root. I count 28, in a database of ~1M certs. Half of them belong to avon.com, which apparently switched to geotrust on their main site.

Hope that helps...

[1] https://medium.com/@sleevi_/a-history-of-hard-choices-c1e1cc9bb089#.3iyh9ro7c

Updated

2 years ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.