Removing the RSA Security 1024 V3 Root

Johnathan Nightingale

12

There’s been confusion today about the work we’re doing on our root store, the set of trusted certificate authorities shipped with Mozilla products. The short story is this: we’re removing the “RSA Security 1024 V3″ root from that list. Its owners have confirmed that it is not in use, and not covered by current audits. We regularly check for roots whose audits have lapsed or for whom we don’t have an up to date point of contact – it’s part of keeping our root program healthy.

The confusion stems from a comment made in the newsgroup threads discussing the removal which suggested that the root didn’t have a current owner. We know where the root came from, it was added at RSA’s request several years ago and vetted according to our inclusion guidelines. When we contacted RSA to confirm current contact and audit information for it, though, we didn’t get a clear answer as to whether or not it was in use, covered by recent audits, or decommissioned. We expect every root in our program to have a clear and active owner and, failing to get that clarity from RSA, we moved to pull this root from the product.

RSA has since confirmed that this root is no longer needed and can be removed from the product. That clarity, while late, is welcome and confirms our original decision.

This legitimate but inactive certificate will be present in all consumers of Mozilla’s NSS security library until the removal takes effect. Questions about Apple’s inclusion of this root in their keychain system, and their plans for removal, are best directed to Apple.

Johnathan Nightingale
Director of Firefox Development

12 responses

  1. Concerned User wrote on :

    Hello Jonathan,

    So will the certificate be removed with the next update?

  2. Avatar wrote on :

    Hello Mr. Nightingale: et al,

    After reviewing RSA’s CAs on two different computers using Firefox 3.6.3 (both running Windows, one XP, the other Win7), none were verifiable. The Verisign CA cannot be verified because it has expired. 2048 and 1024, however, could not be verified “for unknown reasons.”

  3. Bill wrote on :

    Until the update is released, would it be good to manually delete the certificate from our personal installation?

  4. Johnathan Nightingale wrote on ::

    @Bill – There’s no need, really. This is a dormant certificate – RSA confirms that they still have the key material secure, they just don’t use the certificate; we’re removing it as a housekeeping measure, not a reaction to any perceived threat.

    @Concerned User – This certificate will be removed from the development trunk of NSS shortly, but it will take a while for the change to propagate out to all the products that use NSS.

  5. Tim Kanuka wrote on :

    There also seems to be a problem with certs from Thawte. Eg.
    https://www.gmail.com

  6. as901 wrote on :

    To remove, go to Edit, preferences, Advanced, View certificates and delete RSA Security 1024 V3 Root.

  7. Philip wrote on ::

    @as901

    If I delete it, close the dialog and open it again, the certificate still exists.

  8. Person who does not trust CNNIC wrote on :

    Why do we trust the Hong Kong Post Office and CNNIC? This calls into question the reliability of Firefox.

    http://groups.google.com/group/mozilla.dev.security.policy/msg/994b434234ed749b

  9. FadedMemory wrote on :

    @Philip

    I just deleted mine, looked to see if it came back and you’re correct: it came back. However, I clicked the Edit button before and after I deleted it and I noticed that all the boxes are checked before the delete and they are unchecked after I deleted the CA. I assume the “Delete” button just disables the CA instead of actually removing it.

  10. Concerned User wrote on :

    @ FadedMemory: That is correct! Even if you delete the certificate, it is still there. However, the options have been unchecked.

  11. Tom Hargrave wrote on ::

    There is so much going on with today’s PCs that we have to depend on software vendors to keep their back porch clean. It seems “no harm done” this time but this could have been a very serious situation.

  12. News Haven wrote on ::

    @concerned user
    i deleted mine, but it did not came back. and im not sure why. i’ll check it again later