GlobalSign SHA-256, Verisign roots, new repository version
By Yngve Nysæter Pettersen. Friday, 31. July 2009, 12:51:25
GlobalSign have added a SHA-256 signed Root to the repository. This is a step preparing for a future changover to using SHA-256 when signing certificates. Currently there are no test sites available.
As mentioned earlier when we updated two of their certificates, Verisign have been updating some of their certificates that were signed with MD2 so that they are signed using the more secure SHA-1 method instead. However, there were some problems with the Class 3 (G1) certificate chain as all the intermediate certificates issued by the Root were chaining to the old MD2 Root because they specified the serial number of that certificate. Therefore new replacements for the intermediates had to be issued as well.
Unfortunately, testing showed that at this time it is not practical to update older versions (9.5 and 9.6) to use this Root due to a bug in the certificate verification code (updating the older clients would "break the Web"). This combined with missing functionality in the repository language meant that to be able to use the new Class 3 Root we had to create a new version of the repository ("03") where the "02"-version's shortcomings have been fixed, which will be used by upcoming releases of 10.0. In the upcoming versions of 10.0 MD2 support will be completely disabled. Further down the road when "all" servers have been updated with the new intermediates we may replace the certificates for older clients, too.
The fourth RSA root signed with MD2 (the "RSA Secure Server Certification Authority" Root) is now being replaced in all 9.50+ builds, as it does not have the problems mentioned above. This certificate is also being phased out, so it is not going to remain in the repository for long; it expires early January.
As mentioned earlier when we updated two of their certificates, Verisign have been updating some of their certificates that were signed with MD2 so that they are signed using the more secure SHA-1 method instead. However, there were some problems with the Class 3 (G1) certificate chain as all the intermediate certificates issued by the Root were chaining to the old MD2 Root because they specified the serial number of that certificate. Therefore new replacements for the intermediates had to be issued as well.
Unfortunately, testing showed that at this time it is not practical to update older versions (9.5 and 9.6) to use this Root due to a bug in the certificate verification code (updating the older clients would "break the Web"). This combined with missing functionality in the repository language meant that to be able to use the new Class 3 Root we had to create a new version of the repository ("03") where the "02"-version's shortcomings have been fixed, which will be used by upcoming releases of 10.0. In the upcoming versions of 10.0 MD2 support will be completely disabled. Further down the road when "all" servers have been updated with the new intermediates we may replace the certificates for older clients, too.
The fourth RSA root signed with MD2 (the "RSA Secure Server Certification Authority" Root) is now being replaced in all 9.50+ builds, as it does not have the problems mentioned above. This certificate is also being phased out, so it is not going to remain in the repository for long; it expires early January.
WIDGETIZE
Chas4 # 15. August 2009, 06:58
supercoloring # 9. November 2009, 15:29
nice article