Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Remove trust of Symantec's Class 3 Public Primary Certification Authority?
726 views
Skip to first unread message
Kurt Roeckx
Dec 12, 2015, 6:42:21 PM12/12/15
to mozilla-dev-s...@lists.mozilla.org
Hi,
It seems that Symantec will stop using the "VeriSign G1" root
certificate. In the announcement[1] they say: "Browsers may
remove TLS/SSL support for certificates issued from these roots."
The name of the certificate seems to be "Class 3 Public Primary
Certification Authority".
It seems google plans[2] to remove the TLS trust bits, and distrut
it instead.
The announcement says that it's also used for code signing, but
it's not clear that it's still going to be used for that or not.
Should Mozilla follow and disable the TLS trust bits? Add it to
the distrusted list?
Kurt
[1]: https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941&actp=LIST&viewlocale=en_US
[2]: https://googleonlinesecurity.blogspot.be/2015/12/proactive-measures-in-digital.html
It seems that Symantec will stop using the "VeriSign G1" root
certificate. In the announcement[1] they say: "Browsers may
remove TLS/SSL support for certificates issued from these roots."
The name of the certificate seems to be "Class 3 Public Primary
Certification Authority".
It seems google plans[2] to remove the TLS trust bits, and distrut
it instead.
The announcement says that it's also used for code signing, but
it's not clear that it's still going to be used for that or not.
Should Mozilla follow and disable the TLS trust bits? Add it to
the distrusted list?
Kurt
[1]: https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941&actp=LIST&viewlocale=en_US
[2]: https://googleonlinesecurity.blogspot.be/2015/12/proactive-measures-in-digital.html
Eric Mill
Dec 12, 2015, 7:51:01 PM12/12/15
to Kurt Roeckx, mozilla-dev-s...@lists.mozilla.org
Peter Bowen has suggested that the G2 root should be considered the same
way, since it seems to be used for the same purpose as the one Google
referenced:
https://twitter.com/pzb/status/675354162071252992
I believe this censys.io link is a (slightly) friendlier way of showing the
same thing:
https://www.censys.io/certificates?q=parsed.subject.common_name%3APrivate+AND+parsed.subject.organization%3ASymantec+and+parsed.extensions.basic_constraints.is_ca%3Atrue
-- Eric
> _______________________________________________
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
--
konklone.com | @konklone <https://twitter.com/konklone>
way, since it seems to be used for the same purpose as the one Google
referenced:
https://twitter.com/pzb/status/675354162071252992
I believe this censys.io link is a (slightly) friendlier way of showing the
same thing:
https://www.censys.io/certificates?q=parsed.subject.common_name%3APrivate+AND+parsed.subject.organization%3ASymantec+and+parsed.extensions.basic_constraints.is_ca%3Atrue
-- Eric
> dev-security-policy mailing list
> dev-secur...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-security-policy
>
--
konklone.com | @konklone <https://twitter.com/konklone>
Yuhong Bao
Dec 12, 2015, 7:56:39 PM12/12/15
to Kurt Roeckx, mozilla-dev-s...@lists.mozilla.org
I think this and most of the other 1024-bit roots was removed or restricted to email in Mozilla some time ago (last remaining one is Equifax). They had been consider obsolete for a long time.
> Date: Sun, 13 Dec 2015 00:41:45 +0100
> From: ku...@roeckx.be
> To: mozilla-dev-s...@lists.mozilla.org
> Subject: Remove trust of Symantec's Class 3 Public Primary Certification Authority?
Eric Mill
Dec 12, 2015, 8:08:34 PM12/12/15
to Yuhong Bao, mozilla-dev-s...@lists.mozilla.org, Kurt Roeckx
The G2 root identified by Peter is 2048-bit.
-- Eric
-- Eric
Yuhong Bao
Dec 12, 2015, 9:57:17 PM12/12/15
to Eric Mill, mozilla-dev-s...@lists.mozilla.org, Kurt Roeckx
The VeriSign "Class 3 Public Primary Certification Authority - G2" is also 1024-bit.
----------------------------------------
> Date: Sat, 12 Dec 2015 20:07:57 -0500
> Subject: RE: Remove trust of Symantec's Class 3 Public Primary Certification Authority?
> From: er...@konklone.com
> To: yuhong...@hotmail.com
> CC: mozilla-dev-s...@lists.mozilla.org; ku...@roeckx.be
Eric Mill
Dec 13, 2015, 5:33:34 PM12/13/15
to Yuhong Bao, mozilla-dev-s...@lists.mozilla.org, Kurt Roeckx
Sorry, you're right -- I inferred incorrectly from filtering censys.io on
key size.
On Sat, Dec 12, 2015 at 9:56 PM, Yuhong Bao <yuhong...@hotmail.com>
key size.
On Sat, Dec 12, 2015 at 9:56 PM, Yuhong Bao <yuhong...@hotmail.com>
Andrew Ayer
Dec 14, 2015, 9:34:37 PM12/14/15
to mozilla-dev-s...@lists.mozilla.org
On Sat, 12 Dec 2015 16:56:04 -0800
currently email-only. I'm curious if there's any reason the email
trust bit should not be removed as well, considering that Symantec's
announcement[1] only lists TLS and code signing as the uses of this
root.
Thanks,
Andrew
[1] https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941&actp=LIST&viewlocale=en_US
Yuhong Bao <yuhong...@hotmail.com> wrote:
> I think this and most of the other 1024-bit roots was removed or
> restricted to email in Mozilla some time ago (last remaining one is
> Equifax). They had been consider obsolete for a long time.
Indeed, the Verisign Class 3 Public Primary Certification Authority is
> I think this and most of the other 1024-bit roots was removed or
> restricted to email in Mozilla some time ago (last remaining one is
> Equifax). They had been consider obsolete for a long time.
currently email-only. I'm curious if there's any reason the email
trust bit should not be removed as well, considering that Symantec's
announcement[1] only lists TLS and code signing as the uses of this
root.
Thanks,
Andrew
[1] https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941&actp=LIST&viewlocale=en_US
Jakob Bohm
Dec 15, 2015, 11:04:20 AM12/15/15
to mozilla-dev-s...@lists.mozilla.org
remove the "code-signing" trust bits across the board, the Mozilla CA
list is still one of the primary sources of general CA lists in open
source projects that don't have the clout to maintain ongoing close
contractual relationships with the CAs. And those other projects have
not made the mistake of replacing the code signing bit by a closed
garden god key of their own.
Thus one must also consider the code signing usage before removing a
certificate. And in the code signing world, one major software vendor
is consistently refusing to patch its software to accept modern
signature algorithms, thus forcing SHA-1 code signing certificates to
remain in use for the foreseeable future.
Enjoy
Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
0 new messages