Frank, Nelson, just in case it's useful... I recall that GlobalSign recently refreshed their "GlobalSign Root CA": https://bugzilla.mozilla.org/show_bug.cgi?id=406794
When the new GlobalSign Root CA certificate (which expires in 2028) was added to NSS, the old certificate (which expires in 2014) was *removed*: https://bug449883.bugzilla.mozilla.org/attachment.cgi?id=333011 I presume that GlobalSign have not encountered any problems following the removal of their old certificate from NSS. On Friday 22 May 2009 15:24:47 Frank Hecker wrote: > Nelson Bolyard wrote: > > On 2009-05-20 13:58, Kathleen Wilson wrote: > >> When processing a cert chain, does Mozilla use a specified algorithm/ > >> order for determining which root to use when there are two roots > >> included that are identical except for signature algorithm and serial > >> number? > > > > The algorithm for choosing from among multiple certs with the same > > subject name and key ID generally involves picking the "newest" one. > > When multiple certs have the same exact notBefore and notAfter dates, > > the order is determined by the certs' relative positions in the cert > > cache, which is effectively unpredictable. So, for purposes of this > > discussion, the short answer to your question is: no. > > So, just to clarify: I *think* you're proposing that we do the following > in cases where CAs issue new root certificates with stronger signature > algorithms (e.g., upgrading MD2 or MD5 roots to use SHA-1): > > 1. We should keep the old root certificates in the root list, at least > for now. Rationale: It does no harm to keep the old roots, since we do > not check signatures on roots, and it may prevent possible errors when > Firefox, Thunderbird, etc., receive a full cert chain that includes the > old root. > > 2. We should encourage CAs to issue the new replacement roots with > notBefore and notAfter dates that are later than the corresponding dates > for the old roots. Rationale: This ensures that NSS will > deterministically select the newer root in cases where there is a choice > to be made. (Does this include the case when Firefox, etc., receive a > full cert chain that includes the old root?) > > Is the above a correct reading of your comments? > > Frank > > -- > Frank Hecker > hec...@mozillafoundation.org -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
