On Wed, 31 Mar 2021 13:02:21 +0200
Christoph Moench-Tegeder <c...@burggraben.net> wrote:
> ## Jochen Neumeister (jon...@freebsd.org):
>
> > Why are this certificates blacklisted?
>
> Various reasons:
> - Symantec (which owned Thawte and VeriSign back in the time) made
> the news in a bad way:
> https://www.theregister.com/2017/09/12/chrome_66_to_reject_symantec_certs/
> - some certificates are simply expired
> - some certificates use SHA-1 ("sha1WithRSAEncryption") which is
> beyond deprecated
The hashing algorithm (SHA-1) doesn't matter in case of trusted root
CAs though, as they're self-signed anyway - you trust the certificate
and not the signature in this case. Therefore, keeping them in for
compatibility reasons can make sense to prevent people from having to
maintain their own local trusted CA cert lists.
Probably doesn't matter so much in this specific case, but I remember
when security/ca_root_nss removed MD5 self-signed root CAs and the
world of pain I was in as a result of that decision, as legitimate
certificates that worked in all major browsers would be
suddenly considered insecure by my servers.
-m
> - and basically "whatever Mozilla did", as the certificates are
> imported from NSS.
>
> Regards,
> Christoph
>
--
Michael Gmelin
_______________________________________________
freebsd-current@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-current
To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
