info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Remove old CNNIC root certs from NSS
399 views
Skip to first unread message
Kathleen Wilson
Jul 10, 2017, 3:44:02 PM7/10/17
to mozilla-dev-s...@lists.mozilla.org
All,
I think we should remove the two old CNNIC root certificates from NSS that are not trusted for cert issuance after April 2015.
Reference:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#CNNIC
"Mozilla currently recommends not trusting any certificates issued by this CA after 1st April 2015. This covers two roots in our store - "CNNIC ROOT" and "China Internet Network Information Center EV Certificates Root". We have a whitelist of older certificates, and tools to generate it. The code implementing this restriction is in the Mozilla platform security code (PSM), which is shared by the Mozilla applications (Firefox, Thunderbird, etc.)."
Please let me know if you foresee any problems with removing these two root certs from NSS.
Thanks,
Kathleen
I think we should remove the two old CNNIC root certificates from NSS that are not trusted for cert issuance after April 2015.
Reference:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#CNNIC
"Mozilla currently recommends not trusting any certificates issued by this CA after 1st April 2015. This covers two roots in our store - "CNNIC ROOT" and "China Internet Network Information Center EV Certificates Root". We have a whitelist of older certificates, and tools to generate it. The code implementing this restriction is in the Mozilla platform security code (PSM), which is shared by the Mozilla applications (Firefox, Thunderbird, etc.)."
Please let me know if you foresee any problems with removing these two root certs from NSS.
Thanks,
Kathleen
Kathleen Wilson
Jul 13, 2017, 7:10:06 PM7/13/17
to mozilla-dev-s...@lists.mozilla.org
0 new messages