VeriSign's Class 1, 2 and 3 public Primary Certification Authority
(PCA) root certificates will expire on January 7, 2004.
Their expiration may cause certain older Web browsers to display
security alerts when connecting to secure websites. Some visitors to
secure campus websites who are using older browsers may thus begin
encountering error messages on or after that date.
It may also interfere with HTTPS connections to Apache, Microsoft
IIS, Netscape, and other types of Web servers using 128-bit VeriSign
certificates (aka "Global Server IDs"), that haven't been upgraded -
whether automatically or manually - with newer root certificates by
January 7, 2004.
Finally, the expiration of these root certificates may also lead to
authentication failure error messages or prevent HTTPS connections on
the part of at least a few Java applications and applets.
An overview of the issue of periodic expiration of VeriSign root
certificates:
VeriSign Australia
"Periodic Root Certificate Expiration"
http://www.esign.com.au/repository/faq/rootCA_faq.shtml
A few notes regarding some types of affected software:
- Some older Web browsers
One financial institution's site reports that:
>If you are using an older web browser (i.e. Internet Explorer 5.2 or
>before, AOL 5.0 or before, Netscape 4.7 or before, etc.), you may
>encounter a security alert whenever logging on to our website. Since
>some of the earlier versions of these browsers are incompatible with
>security certificates that expire after January 7, 2004, they may
>display a security alert whenever you attempt to access a secure
>website with current certificates.
Bank of America's site provides a more opaque version of this
warning, and identifies the affected versions of IE as 5.5 and
earlier:
>An important feature of Microsoft's Internet Explorer browser,
>versions 5.5 and below, is set to expire on January 7, 2004. (NOTE:
>This does not include Mac users). If you use one of these versions
>of Microsoft's browser, we strongly recommend that you download and
>install the latest Microsoft browser now.
The types of security alerts that users of these older browsers may see
*may* be similar to the ""certificate authority expired" or "security
certificate expired" messages which users of then-older browsers
encountered when a number of vendors' root certificates last expired
on December 31, 1999:
http://y2k.berkeley.edu/computers/fixpcs/issues/root-certificate-expiry.html
- Web servers using 128-bit SSL certificates (Global Server IDs)
whose Global Server Intermediate Root CA has not been updated:
VeriSign
"Expiration of VeriSign Global Server ID Intermediate
Root CA on 1/7/2004"
http://www.verisign.com/support/vendors/exp-gsid-ssl.html
http://www.verisign.com/support/vendors/exp-gsid-mpki.html
>The old VeriSign [128-bit SSL] Global Server Intermediate Root CA
>will expire on 1/7/2004. Servers ... using VeriSign 128-bit SSL
>certificates (Global Server IDs) ... that have not been updated
>with the new Global Server Intermediate Root CA will experience
>issues establishing SSL (https) sessions after 1/7/2004.
>
>Some server software automatically updates the intermediate root CA
>certificate in the server certificate store, while other server
>software requires manual updates of the intermediate root CA.
>Although VeriSign has been providing instructions on how to manually
>install the new Global Server Intermediate Root CA to all GSID
>customers since December, 2001, it is possible that some customers
>may not have noticed the reminder and are unaware of this issue. ...
>
>The solution is to update the intermediate root CA certificate store
>on your server(s) with the latest version of the VeriSign Global
>Server Intermediate Root CA. A copy of the new Intermediate Root CA
>(along with instructions on updating Microsoft IIS 4.0, Microsoft
>IIS 5.0, Apache, and Netscape 3.6) is available at the following
>link:
>
>https://www.verisign.com/support/site/caReplacement.html
- Java-based applications or applets deployed with the Java Plug-in or
or Java Web Start which authenticate using certificates issued by the
expiring root certificates
or
that access websites via HTTPS using Sun's default Java Secure Socket
Extension (JSSE) TrustManager or custom TrustManagers which behave
similarly:
Sun(sm) Alert Notification (Alert ID: 57436)
"Synopsis: Verisign Class 3 and Class 2 PCA Root Certificate Expiration"
http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert%2F57436
>1. Java applications and applets, deployed with the Java Plug-in
>or Java Web Start which authenticate using certificates issued by
>the expiring root certificates may encounter a security warning
>dialog box indicating an authentication failure ...
>2. Java applications or applets using a Java Secure Socket
>Extension (JSSE) TrustManager ... such as the default JSSE
>X509TrustManager("SunX509") ... that do not recognize expired root
>certificates may not be able to access web sites via https ...
>
>This issue is addressed in the following J2SE releases:
>SDK and JRE 1.4.2_03 and later
>SDK and JRE 1.4.1_06 and later
>SDK and JRE 1.3.1_10 and later (available on December 15, 2003)
FYI.
Aron Roberts
Workstation Software Support Group
------------------------------------------------------------------------
The following was automatically added to this message by the list server:
For information about Micronet, including subscribing to
or unsubscribing from its mailing list and finding out
about upcoming meetings, please visit the Micronet Web site:
<http://micronet.berkeley.edu/>.
Received on Sun Dec 21 21:33:27 2003
This archive was generated by hypermail 2.1.8 : Sun Dec 21 2003 - 21:33:28 PST