On Wed, 31 Mar 2021 13:02:21 +0200 Christoph Moench-Tegeder <cmt_at_burggraben.net> wrote: > ## Jochen Neumeister (joneum_at_FreeBSD.org): > > > Why are this certificates blacklisted? > > Various reasons: > - Symantec (which owned Thawte and VeriSign back in the time) made > the news in a bad way: > https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/ > - some certificates are simply expired > - some certificates use SHA-1 ("sha1WithRSAEncryption") which is > beyond deprecated The hashing algorithm (SHA-1) doesn't matter in case of trusted root CAs though, as they're self-signed anyway - you trust the certificate and not the signature in this case. Therefore, keeping them in for compatibility reasons can make sense to prevent people from having to maintain their own local trusted CA cert lists. Probably doesn't matter so much in this specific case, but I remember when security/ca_root_nss removed MD5 self-signed root CAs and the world of pain I was in as a result of that decision, as legitimate certificates that worked in all major browsers would be suddenly considered insecure by my servers. -m > - and basically "whatever Mozilla did", as the certificates are > imported from NSS. > > Regards, > Christoph > -- Michael GmelinReceived on Wed Mar 31 2021 - 10:03:39 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:27 UTC