It seems that Firefox contains a unknown root certificate that nobody seems to know anything about.
I propose that the "RSA Security 1024 V3" root certificate authority be
removed from NSS.
OU = RSA Security 1024 V3
O = RSA Security Inc
Valid From: 2/22/01
Valid To: 2/22/26
I have not been able to find the current owner of this root. Both RSA
and VeriSign have stated in email that they do not own this root.
Therefore, to my knowledge this root has no current owner and no current
audit, and should be removed from NSS.
Further information is provided in a bug report:
I have exchanged email with both RSA and VeriSign, and both have stated that they do not own the "RSA Security 1024 V3" root certificate.
This is a significant security isse since digital certificates rely on a chain of trust, and the trust anchor for digital certificates is the Root Certificate Authority (CA). Specifically, web browsers use root certificates to verify identities used for secure web connections. However, the users of web browsers have to rely on the browser publisher to make sure that these root certificates are valid. The fact that Firefox contains a root certificate where the current owner is unknown (at this time at any rate) is a little worrying.
Trust no one ...