Mozilla security saw a new bug-report filed at bugzilla ^[1] reporting an unclaimed RSA root certificate. The certificate goes by the name of RSA Security 1024 V3. Both Verisign and RSA have declined ownership of this certificate.

Kathleen Wilson ^[2], an active Consultant at Mozilla Corporation has been actively digging through Mozilla security issues. He writes at this Mozilla security Google group saying,

I propose that the “RSA Security 1024 V3″ root certificate authority be
removed from NSS.

OU = RSA Security 1024 V3
O = RSA Security Inc
Valid From: 2/22/01
Valid To: 2/22/26
SHA1 Fingerprint:
3C:BB:5D:E0:FC:D6:39:7C:05:88:E5:66:97:BD:46:2A:BD:F9:5C:76

I have not been able to find the current owner of this root. Both RSA
and VeriSign have stated in email that they do not own this root.

This issue got everyone worried about this being a rouge certificate. However, later Wilson assured the certificate’s origin by saying,

I have received email from official representatives of RSA confirming
that RSA did indeed create the “RSA Security 1024 V3″ root certificate
that is currently included in NSS (Netscape/Mozilla) and also in Apple’s
root cert store.

He also added that that RSA has since, dropped the root certificate and so should Mozilla. In another mail from RSA, it was told that the private key for this root was safe with RSA. This assures that this flaw was not exploited and now the certificate will be removed from NSS (Network Security Services).

[ Via: LinuxToday ^[3] ]