Blacklisted certificates
Michael Gmelin
freebsd at grem.de
Wed Mar 31 12:03:39 UTC 2021
On Wed, 31 Mar 2021 13:02:21 +0200
Christoph Moench-Tegeder <cmt at burggraben.net> wrote:
> ## Jochen Neumeister (joneum at FreeBSD.org):
>
> > Why are this certificates blacklisted?
>
> Various reasons:
> - Symantec (which owned Thawte and VeriSign back in the time) made
> the news in a bad way:
> https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/
> - some certificates are simply expired
> - some certificates use SHA-1 ("sha1WithRSAEncryption") which is
> beyond deprecated
The hashing algorithm (SHA-1) doesn't matter in case of trusted root
CAs though, as they're self-signed anyway - you trust the certificate
and not the signature in this case. Therefore, keeping them in for
compatibility reasons can make sense to prevent people from having to
maintain their own local trusted CA cert lists.
Probably doesn't matter so much in this specific case, but I remember
when security/ca_root_nss removed MD5 self-signed root CAs and the
world of pain I was in as a result of that decision, as legitimate
certificates that worked in all major browsers would be
suddenly considered insecure by my servers.
-m
> - and basically "whatever Mozilla did", as the certificates are
> imported from NSS.
>
> Regards,
> Christoph
>
--
Michael Gmelin
More information about the freebsd-current
mailing list