Eddy Nigg wrote, On 2009-05-21 15:15: > On 05/21/2009 03:46 AM, Nelson Bolyard: >>> Also related, in bug #490895 VeriSign has requested inclusion of the >>> SHA-1 version of their roots to replace the corresponding old MD5 >>> version of their roots. At the time of inclusion of the SHA-1 version >>> of the roots, is there any reason to keep the old MD5 version of the >>> roots in NSS? >> >> Yes, it solves the same potential problem for Verisign, namely that a >> server might send out a chain with the "other" root.
Perhaps I was a bit hasty with that reply. Recall that the problem originally begin discussed, for Izenpe, was caused by the fact that the "old" and "new" roots both had identical notBefore and notAfter time stamps. If that had not been true, and one of them was "obviously" newer than the other (by virtue of having a later notBefore date, or matching notBefore dates and a later notAfter date), then NSS would always choose the newer cert, and there would be no value in retaining both certs. In Verisign's case, I did not look to see if their "old" and "new" roots have the same notBefore and notAfter dates. If they do, then I stand by my original answer. If they do not, then my answer should have been that there is no point in keeping the older root cert. > Kathleen posted in this comment > https://bugzilla.mozilla.org/show_bug.cgi?id=490895#c8 that this is also > a reason to keep a MD2 root in NSS even though a SHA1 root is going to > replace it. I'm not sure if this was the conclusion of this discussion, > but I'd suggest not to do that. Also current discussions elsewhere > indicate that those algorithms should be yanked pretty soonish. By itself, the presence of an old hash algorithm in the signature of a trusted root is not a reason to pull the root. The reason for that is that we generally do not check the signatures on trusted roots. The fact that the root is marked trusted means that its signature has already been checked, and it need not be checked again every time. At some time in the future, I imagine Firefox will stop honoring signatures that use MD2 and MD5 altogether. (The code to do this is already in NSS, but must be enabled by the application or by the user.) Firefox will then find all such signatures to be invalid. Even when we do that, that will not necessitate that we pull the trusted roots with those old signatures, because we never check them. The signatures in trusted roots are simply irrelevant. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
