Mozilla contains unidentified root certificates (opens in new tab)

(bugzilla.mozilla.org)

24 pointsSpark2316y ago7 comments

7 comments

4 comments · 1 top-level

olefoo16y ago· 3 in thread

Headline sensationalist much? Two certs are mentioned, both belonging to RSA, one of which doesn't appear to have been covered by their most recent audit and is therefore a candidate for removal.

forkqueue16y ago

That's not quite what it says - the one that wasn't covered by the most recent audit isn't a candidate for removal until 1/1/2012 at the earliest. The other certificate is completely unknown.

This thread gives more context:

http://groups.google.com/group/mozilla.dev.security.policy/b...

olefoo16y ago

That's a bit more information, but the headline here at HN is still overblown; we're down to one unidentified root certificate that was probably issued by RSA, but for which no records can be found. Most probably attributable to incompetence and poor recordkeeping rather than a malicious compromise of the whole PKI.

1 more reply

kinetik16y ago

From that thread:

Both "RSA Security 1024 V3" and "RSA Security 2048 V3" are shown as valid in Apple's System Roots.

Microsoft's list includes "RSA Security 2048 V3", but not "RSA Security 1024 V3".

I'm glad there's more transparency about what is added to the NSS certificate store nowadays.

j / k navigate · click thread line to collapse