jabber.org cert signed by "unknown authority"

Joe Hildebrand joe.hildebrand at webex.com
Wed Nov 11 00:08:18 UTC 2009 

Luckily, you caught me just as I was about to apply the patch.

With 10.6.1, I have a cert with that name/date with a SHA1 fingerprint of:

95 E6 AD F8 D7 71 46 02 4D D5 6A 21 B2 E7 3F CD F2 3B 35 FF

After the upgrade, that cert doesn't exist.  I've got one called "StartCom
Class 3 Primary Email Free CA" with expiration of 4/4/10, and a fingerprint
of:

CF 01 DC 25 90 C9 55 C1 8D 76 5A 34 38 F7 37 F1 EB 3B BB 71

However, that cert is marked as "This certificate was signed by an unknown
authority".



On 11/11/09 7:17 AM, "Peter Saint-Andre" <stpeter at stpeter.im> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On 11/11/09 5:27 AM, Peter Saint-Andre wrote:
>> On 11/10/09 10:55 PM, Zachary West wrote:
>>> Is the certificate chain missing a link to the root, or is its root CA
>>> suddenly untrusted on Snow Leopard?
>> 
>> I'm looking into this with folks from StartCom. There have, over time,
>> been two StartCom roots. Certificates issued by the XMPP ICA (which is
>> no longer issuing certificates, because now they are being issued
>> directly by StartCom) were issued under the old root. So it seems to me
>> that perhaps Apple removed the old root from their cert store before all
>> the certificates issued under that root had expired. I'll follow up with
>> StartCom about this and report back.
> 
> Further research indicates that this is a problem only on Snow Leopard
> (I just installed the latest security update on Leopard and the old root
> is still in the keychain).
> 
> Could someone do me a favor and look in their keychain on Snow Leopard
> to verify that a root for "Free SSL Certification Authority" is or is
> not in the system roots? (Click to inspect the cert and it will mention
> StartCom -- the old root expires on March 11, 2035.)
> 
> Thanks!
> 
> Peter
> 
> - --
> Peter Saint-Andre
> https://stpeter.im/
> 
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.8 (Darwin)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkr55mwACgkQNL8k5A2w/vzb+gCfdmHbCrTS2Ukn/gJD4sCc3UgR
> aO8An1/8lEKP5JUOB/EpgiG9DO0SPvQP
> =KZuZ
> -----END PGP SIGNATURE-----
> 

-- 
Joe Hildebrand

More information about the devel mailing list