

Mozilla contains unidentified root certificates - Spark23
https://bugzilla.mozilla.org/show_bug.cgi?id=549701

======
olefoo
Headline sensationalist much? Two certs are mentioned, both belonging to RSA,
one of which doesn't appear to have been covered by their most recent audit
and is therefore a candidate for removal.

~~~
forkqueue
That's not quite what it says - the one that wasn't covered by the most recent
audit isn't a candidate for removal until 1/1/2012 at the earliest. The other
certificate is completely unknown.

This thread gives more context:

[http://groups.google.com/group/mozilla.dev.security.policy/b...](http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/b6493a285ba79998/26fca75f9aeff1dc)

~~~
olefoo
That's a bit more information, but the headline here at HN is still overblown;
we're down to one unidentified root certificate that was probably issued by
RSA, but for which no records can be found. Most probably attributable to
incompetence and poor recordkeeping rather than a malicious compromise of the
whole PKI.

~~~
extension
If I was going to sneak in my own root cert, I would give it a name and date
very similar to an existing one.

~~~
bigiain
And wasn't there some discussion in the last week or two about how easily you
could impersonate anybodies valid ssl cert if you could get hold of a real
root cert? (something about browsers not notifying users that a previously
seen cert is now authenticating via a different root?)

~~~
extension
I am not a crypto expert so correct me if I'm wrong, but as I understand it,
anyone with a root key necessarily can subvert the entire system in a
straightforward way.

