On May 28, 3:12 pm, Nelson B Bolyard <nel...@bolyard.me> wrote: > On 2009-05-28 10:52 PDT, Kathleen Wilson wrote: > > > Just to make sure I understand… > > > In the VeriSign case the MD2 roots expire on 2028-08-01, and the SHA1 > > roots expire on 2028-08-02, so the SHA1 roots would take precedence in > > NSS. Therefore, there is no benefit in keeping the MD2 roots, and the > > MD2 roots should be removed when the SHA1 roots are added. > > That is also my understanding. > ...
Hold on please - we would like the MD2 roots to remain alongside the SHA1 roots. The reason is that we have issued several intermediate CAs from the MD2 root which bear the serial number of the MD2 root in their AKI extension. When we created the SHA1 roots, we added one day to the validity period and kept the DN and key the same, but we gave it a different serial number (that is our practice). We discovered too late that Firefox uses the AKI to find the issuer, and if it's not found, Firefox does not fall back to other methods (like using the Issuer DN, as other browsers do). Hence we need the MD2 roots to remain in Firefox until customers renew and replace their SSL certs signed by intermediates that contain the AKI extension pointing to the MD2 root. We expect that might take several years. -Rick -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
