Add SHA1 versions of "Thawte Server CA" and "Thawte Premium Server CA" roots

RESOLVED WONTFIX

Status

RESOLVED WONTFIX
9 years ago
2 years ago

People

(Reporter: tony_berman, Assigned: kwilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: Information incomplete)

Attachments

(2 attachments)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727; MS-RTC LM 8; InfoPath.1)
Build Identifier: 

Please include SHA1 versions of the "Thawte Server CA" and "Thawte Premium Server CA". The version of the root currently in the NSS root store uses MD5. We are replacing this with a rehashed version that uses SHA1. The new SHA-1 root has the same name and public key but a different serial number.

Reproducible: Always
(Reporter)

Comment 1

9 years ago
Created attachment 423395 [details]
SHA1 version of Thawte Server CA
(Reporter)

Comment 2

9 years ago
Created attachment 423396 [details]
Thawte Premium Sever CA SHA1 version

Comment 3

9 years ago
assuming that you're a colleague of Jay Schiavo (mentioned in other requests like bug 484903 and bug 409237), I'm moving this to the correct category.
Assignee: nobody → kathleen95014
Status: UNCONFIRMED → NEW
Component: Security → CA Certificates
Ever confirmed: true
Product: Firefox → mozilla.org
QA Contact: firefox → ca-certificates
Version: unspecified → other
(Assignee)

Comment 4

9 years ago
Both of these roots are SHA1, 1024-bit.

I believe that the purpose of including these roots at this point in time would be to transition off of the equivalent MD5 roots that are currently in NSS.  However, it looks like we will be disabling MD5 via an NSS environment variable, so perhaps the certs under those MD5 roots don't need to be migrated to these Sha1 roots?

Also note that the root inclusion process takes about a year:
https://wiki.mozilla.org/CA:How_to_apply#Timeline
So these roots would likely get included after the cutoff date for CAs to stop issuing certs under 1024-bit roots.
Status: NEW → ASSIGNED
(Assignee)

Updated

9 years ago
Whiteboard: Information incomplete
(Assignee)

Comment 5

8 years ago
Tony, Can this bug be closed?
(Assignee)

Comment 6

8 years ago
We are no longer adding 1024-bit roots.
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → WONTFIX

Updated

2 years ago
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.