Certs issued by pulled roots (SHA-1 and/or SHA-256)?

[lgarron]

@robstradling offered on Twitter: https://twitter.com/rob_comodo/status/788843479313084421

Myself, I don't feel the need to add this (more certs => more to manage, see #217), but I wouldn't be opposed.

[robstradling]

I can give you a SHA-1 cert under our pulled "UTN - DATACorp SGC" root if you provide a CSR and complete the validation process. Don't feel obliged to accept this offer if you think it's unnecessary though.

[april]

I think it's a good one to have, although I think the domain name should be different.

Many organizations are using these certa and to be honest I can't remember off the top of my head where they stopped being trusted. With a domain like this, I could fire up an old browser and check.

[lgarron]

I think the domain name should be different.

Not sure I understand what this is referencing; different from what? What about pulled-root and sha1-pulled-root?

[april]

Just that I think it should not reuse the existing domains. legacy-sha1, maybe, to reflect that they're mostly used on legacy devices?

[lgarron]

to reflect that they're mostly used on legacy devices?

Hmm, I'd prefer the subdomain name to make it clear what exactly it serves. Is there a precedent for calling these "legacy" roots maybe?

[april]

I think that's what Comodo calls them in their intermediate? @robstradling?

[lgarron]

Is there a precedent for calling these "legacy" roots maybe?

Oh, of course! LV was even named that way: https://blog.cloudflare.com/sha-1-deprecation-no-browser-left-behind/

legacy and legacy-sha1 sound good to me.

(legacy-sha1 is a different order from sha1-201{6, 7}, but I guess I don't mind too much. It's hard to come up with a consistent nesting scheme.)

[april]

I don't have any strong preference on the order. One is consistent with our other domains, the other sounds more natural.

[lgarron]

Actually, what about putting them all under the legacy.badssl.com namespace?

• legacy.badssl.com
• sha1.legacy.badssl.com

That way, if Rob offers even more kinds of broken legacy certs, it's very clear where to put them. (The main reason I haven't nested other subdomains is that we can't use a wildcard for them, but that doesn't apply if each subdomain needs its own cert, as is presumably the case here.)

[april]

💯

[robstradling]

Yeah, we use the term "legacy" in the intermediate.

[lgarron]

So I don't lose track: Clint Wilson also offered one from DigiCert's GTE CyberTrust Root (expires on August 12, 2018).

[lgarron]

Just remembered that GitHub has a help wanted label!

If anyone at all wants to take this on, we need:

• A modification to /certs/Makefile to generate a CSR.
• A prod cert, committed to /certs/sets/pregen/

We'll need to figure out what to do with these domains for testing. Options include:

• Adding a new BadSSL Legacy Certificate Authority (probably the best idea).
• Creating a domains-prod-only folder similar to domains-local-only (but then you can't test at all locally).