Re: Blacklisted certificates

From: Michael Gmelin <freebsd_at_grem.de>
Date: Wed, 31 Mar 2021 14:03:22 +0200
On Wed, 31 Mar 2021 13:02:21 +0200
Christoph Moench-Tegeder <cmt_at_burggraben.net> wrote:

> ## Jochen Neumeister (joneum_at_FreeBSD.org):
> 
> > Why are this certificates blacklisted?  
> 
> Various reasons:
> - Symantec (which owned Thawte and VeriSign back in the time) made
>   the news in a bad way:
>   https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/
> - some certificates are simply expired
> - some certificates use SHA-1 ("sha1WithRSAEncryption") which is
>   beyond deprecated

The hashing algorithm (SHA-1) doesn't matter in case of trusted root
CAs though, as they're self-signed anyway - you trust the certificate
and not the signature in this case. Therefore, keeping them in for
compatibility reasons can make sense to prevent people from having to
maintain their own local trusted CA cert lists.

Probably doesn't matter so much in this specific case, but I remember
when security/ca_root_nss removed MD5 self-signed root CAs and the
world of pain I was in as a result of that decision, as legitimate
certificates that worked in all major browsers would be
suddenly considered insecure by my servers.

-m

> - and basically "whatever Mozilla did", as the certificates are
>   imported from NSS.
> 
> Regards,
> Christoph
> 



-- 
Michael Gmelin
Received on Wed Mar 31 2021 - 10:03:39 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:41:27 UTC