Date: Wed, 31 Mar 2021 14:03:22 +0200 From: Michael Gmelin <freebsd@grem.de> To: Christoph Moench-Tegeder <cmt@burggraben.net> Cc: freebsd-current@freebsd.org Subject: Re: Blacklisted certificates Message-ID: <20210331140322.07a3e650@bsd64.grem.de> In-Reply-To: <YGRWvWRP0DifBj%2Bm@elch.exwg.net> References: <a201a652-cd77-17a7-03a5-2715920d1d3e@FreeBSD.org> <YGRWvWRP0DifBj%2Bm@elch.exwg.net>
index | next in thread | previous in thread | raw e-mail
On Wed, 31 Mar 2021 13:02:21 +0200 Christoph Moench-Tegeder <cmt@burggraben.net> wrote: > ## Jochen Neumeister (joneum@FreeBSD.org): > > > Why are this certificates blacklisted? > > Various reasons: > - Symantec (which owned Thawte and VeriSign back in the time) made > the news in a bad way: > https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/ > - some certificates are simply expired > - some certificates use SHA-1 ("sha1WithRSAEncryption") which is > beyond deprecated The hashing algorithm (SHA-1) doesn't matter in case of trusted root CAs though, as they're self-signed anyway - you trust the certificate and not the signature in this case. Therefore, keeping them in for compatibility reasons can make sense to prevent people from having to maintain their own local trusted CA cert lists. Probably doesn't matter so much in this specific case, but I remember when security/ca_root_nss removed MD5 self-signed root CAs and the world of pain I was in as a result of that decision, as legitimate certificates that worked in all major browsers would be suddenly considered insecure by my servers. -m > - and basically "whatever Mozilla did", as the certificates are > imported from NSS. > > Regards, > Christoph > -- Michael Gmelinhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20210331140322.07a3e650>