Bug 1367573

Summary: Remove several legacy CAs, as of upstream update 2.10
Product: Red Hat Enterprise Linux 6 Reporter: Kai Engert (:kaie) (inactive account) <kengert>
Component: ca-certificatesAssignee: Kai Engert (:kaie) (inactive account) <kengert>
Status: CLOSED CANTFIX QA Contact: Stanislav Zidek <szidek>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.8CC: ksrot, nmavrogi, szidek
Target Milestone: rc   
Target Release: 6.9   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-08-31 13:25:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1386679, 1386680, 1386683    
Bug Blocks: 1339235    

Description Kai Engert (:kaie) (inactive account) 2016-08-16 20:14:49 UTC 
I suggest that we remove a subset of the legacy CAs that we keep included in the RHEL 6 ca-certificates package.

For RHEL 6.9, I suggest we rebase to version 2.10, which I expect to be part of Firefox 51.

The subject of this bug isn't about the rebase, but about the legacy removals, which in my opinion are justified based on the decisions made by the upstream Mozilla CA maintainers.

As of today, RHEL 6.x contains ca-certificates version 2.6

As explained here:
  https://fedoraproject.org/wiki/CA-Certificates#Changes_in_Version_2.7
upstream 2.7 has removed the four CAs mentioned there, because:
"The removal was based on information provided by the organizations that had issued the certificates, who stated that all of these certificates have been retired, either completely, or retired for public use."

I belive this is sufficient indication that they aren't required any more on the public internet.

In addition, as stated in this bug:
  https://bugzilla.mozilla.org/show_bug.cgi?id=1288250
"Please remove the following root certificates from NSS, because they are not included in the current audit statements."

If they aren't under audit any more, we should remove them.


To summarize, I suggest to remove the following CAs from the legacy list in RHEL 6.9:

# Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Serial Number:7d:d9:fe:07:cf:a8:1e:b7:10:79:67:fb:a7:89:34:c6
 # Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 3 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon May 18 00:00:00 1998
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): A2:33:9B:4C:74:78:73:D4:6C:E7:C1:F3:8D:CB:5C:E9
 # Fingerprint (SHA1): 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F

 # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Serial Number:3c:91:31:cb:1f:f6:d0:1b:0e:9a:b8:d0:44:bf:12:be
 # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Jan 29 00:00:00 1996
 # Not Valid After : Wed Aug 02 23:59:59 2028
 # Fingerprint (MD5): EF:5A:F1:33:EF:F1:CD:BB:51:02:EE:12:14:4B:96:C4
 # Fingerprint (SHA1): A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B

 # Issuer: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Serial Number: 105 (0x69)
 # Subject: CN=NetLock Uzleti (Class B) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Not Valid Before: Thu Feb 25 14:10:22 1999
 # Not Valid After : Wed Feb 20 14:10:22 2019
 # Fingerprint (MD5): 39:16:AA:B9:6A:41:E1:14:69:DF:9E:6C:3B:72:DC:B6
 # Fingerprint (SHA1): 87:9F:4B:EE:05:DF:98:58:3B:E3:60:D6:33:E7:0D:3F:FE:98:71:AF

 # Issuer: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Serial Number: 104 (0x68)
 # Subject: CN=NetLock Expressz (Class C) Tanusitvanykiado,OU=Tanusitvanykiadok,O=NetLock Halozatbiztonsagi Kft.,L=Budapest,C=HU
 # Not Valid Before: Thu Feb 25 14:08:11 1999
 # Not Valid After : Wed Feb 20 14:08:11 2019
 # Fingerprint (MD5): 4F:EB:F1:F0:70:C2:80:63:5D:58:9F:DA:12:3C:A9:C4
 # Fingerprint (SHA1): E3:92:51:2F:0A:CF:F5:05:DF:F6:DE:06:7F:75:37:E1:65:EA:57:4B

 # Trust for Certificate "Equifax Secure Global eBusiness CA"
 # Issuer: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Serial Number: 1 (0x1)
 # Subject: CN=Equifax Secure Global eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Not Valid Before: Mon Jun 21 04:00:00 1999
 # Not Valid After : Sun Jun 21 04:00:00 2020
 # Fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC
 # Fingerprint (SHA1): 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45

 # Trust for Certificate "Equifax Secure eBusiness CA 1"
 # Issuer: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Serial Number: 4 (0x4)
 # Subject: CN=Equifax Secure eBusiness CA-1,O=Equifax Secure Inc.,C=US
 # Not Valid Before: Mon Jun 21 04:00:00 1999
 # Not Valid After : Sun Jun 21 04:00:00 2020
 # Fingerprint (MD5): 64:9C:EF:2E:44:FC:C6:8F:52:07:D0:51:73:8F:CB:3D
 # Fingerprint (SHA1): DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41

 # Trust for Certificate "Equifax Secure CA"
 # Issuer: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Serial Number: 903804111 (0x35def4cf)
 # Subject: OU=Equifax Secure Certificate Authority,O=Equifax,C=US
 # Not Valid Before: Sat Aug 22 16:41:51 1998
 # Not Valid After : Wed Aug 22 16:41:51 2018
 # Fingerprint (MD5): 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
 # Fingerprint (SHA1): D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A

 # Trust for Certificate "Verisign Class 3 Public Primary Certification Authority"
 # Issuer: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Serial Number:70:ba:e4:1d:10:d9:29:34:b6:38:ca:7b:03:cc:ba:bf
 # Subject: OU=Class 3 Public Primary Certification Authority,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon Jan 29 00:00:00 1996
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): 10:FC:63:5D:F6:26:3E:0D:F3:25:BE:5F:79:CD:67:67
 # Fingerprint (SHA1): 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2
 # Trust for Certificate "Verisign Class 2 Public Primary Certification Authority - G2"
 # Issuer: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Serial Number:00:b9:2f:60:cc:88:9f:a1:7a:46:09:b8:5b:70:6c:8a:af
 # Subject: OU=VeriSign Trust Network,OU="(c) 1998 VeriSign, Inc. - For authorized use only",OU=Class 2 Public Primary Certification Authority - G2,O="VeriSign, Inc.",C=US
 # Not Valid Before: Mon May 18 00:00:00 1998
 # Not Valid After : Tue Aug 01 23:59:59 2028
 # Fingerprint (MD5): 2D:BB:E5:25:D3:D1:65:82:3A:B7:0E:FA:E6:EB:E2:E1
 # Fingerprint (SHA1): B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
Comment 1 Kai Engert (:kaie) (inactive account) 2016-08-16 20:16:07 UTC 
The previous comment lists 9 CAs.

Although the sum of the mentioned links is 10 CAs, apparently one of the CAs isn't part of our legacy handling.
Comment 7 Kai Engert (:kaie) (inactive account) 2016-10-19 12:40:12 UTC 
This is blocked by the bugs on the dependency list.
Comment 8 Kai Engert (:kaie) (inactive account) 2016-10-24 10:54:40 UTC 
These 1024-bit CAs, which have been completely removed by Mozilla in version 2.10, are still referenced by a significant percentage of sites in the public web, which include (optional) intermediate CAs in the chains sent out by the servers, which point to the legacy CAs.

Removing these CAs, or in other words, no longer trusting them, would have the consequence that applications, which are based on OpenSSL, GnuTLS and glib-networking (and possibly others), could no longer verify certificates from the affected servers, and as a result, would refuse to connect to them by default.

In order to avoid this regression, I've been asked to not perform this removal at this time.
Comment 10 Kai Engert (:kaie) (inactive account) 2017-08-31 13:25:35 UTC 
Two dependency bugs have been marked as wontfix.
I'm afraid this means this one cannot be fixed either.