5.91 KB, text/plain
Turn off the Websites and Code Signing trust bits for the "Equifax Secure Certificate Authority" 1024-bit root certificate. We had turned off these trust bits in Bug #986019 and NSS 3.18 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18_release_notes But re-enabled the trust bits in Bug #1155279 and NSS 3.18.1 https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.18.1_release_notes So, this is a new bug to track creating a new plan for phasing out this 1024-bit root certificate.
Right now I suggest ~5 years after RapidSSL switched to a 2048-bit root (other GeoTrust certs switched even earlier), which put it at around the end of 2015 or the beginning of 2016. This is when the vast majority of such certificates should expire,
We are now planning to do this change in the September batch of root changes, which should go into Firefox 44. https://wiki.mozilla.org/RapidRelease/Calendar Reasons: Symantec data indicates that most certs chaining up to this root expire in 2015; we (Mozilla) want to have more granular telemetry before making this change again; and I would like to avoid making a change like this in a release version of Firefox in the November-December shopping season. Of course, if any security threat arises regarding this root certificate, we will take the necessary action earlier.
Whiteboard: Target Firefox 44
Kathleen: is there a bug for the "September batch of root changes"? If so, could you make this one depend on that one? Trunk becomes Firefox 44 today, I believe. Richard: Have we managed to get that more granular telemetry that Kathleen mentioned in comment 2? Gerv
We plan to include this change in the October batch of root changes, which will target Firefox 44. We have been making great progress in the areas of TLS-related telemetry and compatibility testing, so I am confident about making this change in Firefox 44.
4 years ago
Keywords: dev-doc-needed, site-compat
This bug is about: OU = Equifax Secure Certificate Authority SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
(In reply to Kai Engert (:kaie) from comment #5) > This bug is about: > > OU = Equifax Secure Certificate Authority > SHA1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A Correct. Thanks!
I have checked the test build https://bugzilla.mozilla.org/show_bug.cgi?id=1214729#c2 and confirm that the websites and code signing trust bits are turned off for this root. Only the Email trust bit remains enabled for this root.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Whiteboard: Target Firefox 44 → Trust bits turned off in NSS 3.21, planned for Firefox 44
(Noticed this bug linked on Sleevi's blog post) I only have a sampled view of the Internet, but there doesn't seem to be many valid certificates that depend on this root. I count 28, in a database of ~1M certs. Half of them belong to avon.com, which apparently switched to geotrust on their main site. Hope that helps...  https://medium.com/@sleevi_/a-history-of-hard-choices-c1e1cc9bb089#.3iyh9ro7c
You need to log in before you can comment on or make changes to this bug.