Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Root Cleanup to remove legacy and disabled certs

119 views
Skip to first unread message

Kathleen Wilson

unread,
Dec 13, 2010, 6:50:36 PM12/13/10
to mozilla-dev-s...@lists.mozilla.org
All,

As per bug #617664, I am recommending the removal of the following root
certificates from NSS. Please reply in this discussion if you have
concerns about the removal of any of these roots.

Reason for removal: Legacy, no longer in use

CN = AOL Time Warner Root Certification Authority 1
O = AOL Time Warner Inc.
SHA1: 74:54:53:5C:24:A3:A7:58:20:7E:3E:3E:D3:24:F8:16:FB:21:16:49
(bug #605187)

CN = AOL Time Warner Root Certification Authority 2
O = AOL Time Warner Inc.
SHA1: FC:21:9A:76:11:2F:76:C1:C5:08:83:3C:9A:2F:A2:BA:84:AC:08:7A
(bug #605187)


Reason for removal: No longer needed to be included in NSS, and outdated
key algorithm (MD5)

CN = Thawte Timestamping CA
O = Thawte
SHA1: BE:36:A4:56:2F:B2:EE:05:DB:B3:D3:23:23:AD:F4:45:08:4E:D6:56

CN = Thawte Personal Freemail CA
O = Thawte Consulting
SHA1: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85


Reason for removal: All trust bits already disabled; previously deprecated.

CN = Entrust.net Client Certification Authority
OU = (c) 1999 Entrust.net Limited
O = Entrust.net
SHA1: DA:79:C1:71:11:50:C2:34:39:AA:2B:0B:0C:62:FD:55:B2:F9:F5:80

CN = Entrust.net Client Certification Authority
OU = (c) 2000 Entrust.net Limited
O = Entrust.net
SHA1: CF:74:BF:FF:9B:86:81:5B:08:33:54:40:36:3E:87:B6:B6:F0:BF:73

CN = Entrust.net Secure Server Certification Authority
OU = (c) 2000 Entrust.net Limited
O = Entrust.net
SHA1: 89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93

CN = IPS CA Chained CAs Certification Authority
O = IPS Internet publishing Services s.l.
SHA1: C8:C2:5F:16:9E:F8:50:74:D5:BE:E8:CD:A2:D4:3C:AE:E7:5F:D2:57

CN = IPS CA CLASE1 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1: 43:9E:52:5F:5A:6A:47:C3:2C:EB:C4:5C:63:ED:39:31:7C:E5:F4:DF

CN = IPS CA CLASE3 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1: 41:78:AB:4C:BF:CE:7B:41:02:AC:DA:C4:93:3E:6F:F5:0D:CF:71:5C

CN = IPS CA CLASEA1 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1: 33:A3:35:C2:3C:E8:03:4B:04:E1:3D:E5:C4:8E:79:1A:EB:8C:32:04

CN = IPS CA CLASEA3 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1: 16:D4:24:FE:96:10:E1:75:19:AF:23:2B:B6:87:74:E2:41:44:BE:6E

CN = IPS CA Timestamping Certification Authority
O = IPS Internet publishing Services s.l.
SHA1: 96:99:5C:77:11:E8:E5:2D:F9:E3:4B:EC:EC:67:D3:CB:F1:B6:C4:D2


This begins the discussion of my proposal to remove these root
certificates from NSS. At the conclusion of this discussion, I will
provide a summary of concerns noted and action items. If there are no
outstanding action items or concerns, then I will proceed with creating
the NSS bug for the actual changes.

Kathleen

Nelson Bolyard

unread,
Dec 16, 2010, 7:55:18 AM12/16/10
to mozilla-dev-s...@lists.mozilla.org
On 2010-12-13 15:50 PDT, Kathleen Wilson wrote:
> All,
>
> As per bug #617664, I am recommending the removal of the following root
> certificates from NSS. Please reply in this discussion if you have
> concerns about the removal of any of these roots.

I have no objections to the proposed removals, but I do have one comment
regarding the reason given for removing the Thawte certs.

> Reason for removal: No longer needed to be included in NSS, and
> outdated key algorithm (MD5)
>
> CN = Thawte Timestamping CA
> O = Thawte
> SHA1: BE:36:A4:56:2F:B2:EE:05:DB:B3:D3:23:23:AD:F4:45:08:4E:D6:56
>
> CN = Thawte Personal Freemail CA
> O = Thawte Consulting
> SHA1: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85

These are (or were) both trusted root CA certs. As such, the signatures
on these certs are (or were) never checked by Firefox. Consequently,
the hash algorithm used in those signatures is immaterial. I just
wouldn't list the hash algorithm as being a reason for removal.

--
/Nelson Bolyard

Kathleen Wilson

unread,
Dec 16, 2010, 12:31:13 PM12/16/10
to mozilla-dev-s...@lists.mozilla.org

Of course you are correct. Point taken.

Thanks,
Kathleen

Kathleen Wilson

unread,
Jan 3, 2011, 6:56:19 PM1/3/11
to mozilla-dev-s...@lists.mozilla.org
On 12/13/10 3:50 PM, Kathleen Wilson wrote:
> All,
>
> As per bug #617664, I am recommending the removal of the following root
> certificates from NSS. Please reply in this discussion if you have
> concerns about the removal of any of these roots.
>

Thank you to those who provided feedback about this list of root
certificates to be removed.

I am now closing this discussion, and will proceed with creating the NSS

bug for the actual changes.

All follow-up on this request should be posted directly in the bug.

https://bugzilla.mozilla.org/show_bug.cgi?id=617664

Thanks and Happy new year!
Kathleen

David E. Ross

unread,
Jan 3, 2011, 10:22:16 PM1/3/11
to mozilla-dev-s...@lists.mozilla.org

Question: I have edited some root certificates, turning off their trust
bits. When this cleanup is implemented in a new version of Firefox or
SeaMonkey, what file should I delete to restore my configuration to its
nominal form so that I can get the benefit of the cleanup?

--

David E. Ross
<http://www.rossde.com/>

On occasion, I might filter and ignore all newsgroup messages
posted through GoogleGroups via Google's G2/1.0 user agent
because of spam from that source.

0 new messages