Mozilla::CA contains sha1 certs #39
Description
I'm opening this case for discussion so you can be aware. With the release of RHEL 10 this coming month, they will no longer support SHA1 in their crypto tools. It's unclear even with testing if this is just for creation or if it also includes decryption.
See The LEGACY cryptographic policy disallows SHA-1 signatures in TLS.
I noticed that the existing .pem file continues to include SHA1-signed signatures. I realize this is because it gets its list of certs from some central authority. I wonder if it's time to drop support or provide an alternate .pem file without SHA1 signatures.
Of the 151 certs, 26 are still signed with sha1. I'm attaching them in this ticket for review:
subject=C = BE, O = GlobalSign nv-sa, OU = Root CA, CN = GlobalSign Root CA | Expires: Jan 28 12:00:00 2028 GMT
subject=O = Entrust.net, OU = www.entrust.net/CPS_2048 incorp. by ref. (limits liab.), OU = (c) 1999 Entrust.net Limited, CN = Entrust.net Certification Authority (2048) | Expires: Jul 24 14:15:12 2029 GMT
subject=C = IE, O = Baltimore, OU = CyberTrust, CN = Baltimore CyberTrust Root | Expires: May 12 23:59:00 2025 GMT
subject=C = US, O = "Entrust, Inc.", OU = www.entrust.net/CPS is incorporated by reference, OU = "(c) 2006 Entrust, Inc.", CN = Entrust Root Certification Authority | Expires: Nov 27 20:53:42 2026 GMT
subject=C = GB, ST = Greater Manchester, L = Salford, O = Comodo CA Limited, CN = AAA Certificate Services | Expires: Dec 31 23:59:59 2028 GMT
subject=C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 2 | Expires: Nov 24 18:23:33 2031 GMT
subject=C = BM, O = QuoVadis Limited, CN = QuoVadis Root CA 3 | Expires: Nov 24 19:06:44 2031 GMT
subject=C = US, OU = www.xrampsecurity.com, O = XRamp Security Services Inc, CN = XRamp Global Certification Authority | Expires: Jan 1 05:37:19 2035 GMT
subject=C = US, O = "The Go Daddy Group, Inc.", OU = Go Daddy Class 2 Certification Authority | Expires: Jun 29 17:06:20 2034 GMT
subject=C = US, O = "Starfield Technologies, Inc.", OU = Starfield Class 2 Certification Authority | Expires: Jun 29 17:39:16 2034 GMT
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Assured ID Root CA | Expires: Nov 10 00:00:00 2031 GMT
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert Global Root CA | Expires: Nov 10 00:00:00 2031 GMT
subject=C = US, O = DigiCert Inc, OU = www.digicert.com, CN = DigiCert High Assurance EV Root CA | Expires: Nov 10 00:00:00 2031 GMT
subject=C = CH, O = SwissSign AG, CN = SwissSign Gold CA - G2 | Expires: Oct 25 08:30:35 2036 GMT
subject=C = CH, O = SwissSign AG, CN = SwissSign Silver CA - G2 | Expires: Oct 25 08:32:46 2036 GMT
subject=C = US, O = SecureTrust Corporation, CN = SecureTrust CA | Expires: Dec 31 19:40:55 2029 GMT
subject=C = US, O = SecureTrust Corporation, CN = Secure Global CA | Expires: Dec 31 19:52:06 2029 GMT
subject=C = GB, ST = Greater Manchester, L = Salford, O = COMODO CA Limited, CN = COMODO Certification Authority | Expires: Dec 31 23:59:59 2029 GMT
subject=C = FR, O = Dhimyotis, CN = Certigna | Expires: Jun 29 15:13:05 2027 GMT
subject=C = TW, O = "Chunghwa Telecom Co., Ltd.", OU = ePKI Root Certification Authority | Expires: Dec 20 02:31:27 2034 GMT
subject=C = RO, O = certSIGN, OU = certSIGN ROOT CA | Expires: Jul 4 17:20:04 2031 GMT
subject=C = US, O = AffirmTrust, CN = AffirmTrust Networking | Expires: Dec 31 14:08:24 2030 GMT
subject=C = PL, O = Unizeto Technologies S.A., OU = Certum Certification Authority, CN = Certum Trusted Network CA | Expires: Dec 31 12:07:37 2029 GMT
subject=C = TW, O = TAIWAN-CA, OU = Root CA, CN = TWCA Root Certification Authority | Expires: Dec 31 15:59:59 2030 GMT
subject=CN = ACCVRAIZ1, OU = PKIACCV, O = ACCV, C = ES | Expires: Dec 31 09:37:37 2030 GMT
subject=O = TeliaSonera, CN = TeliaSonera Root CA v1 | Expires: Oct 18 12:00:50 2032 GMT