This was announced on: http://groups.google.com/group/mozilla.dev.security.policy/browse_thread/thread/b6493a285ba79998/26fca75f9aeff1dc Recommendation from upstream is to remove said CA.
Most recent comment (comment #8) on the upstream bug says: > RSA has confirmed that they are in possession of the private key for the "RSA Security 1024 V3" root certificate. RSA agrees that this root should be removed from NSS. > > There is no recent audit for this "RSA Security 1024 V3" root certificate, because it is no longer in use. Therefore, I will continue with the root removal process as described in https://wiki.mozilla.org/CA:Root_Change_Process#Remove_a_Root
(In reply to comment #1) > Most recent comment (comment #8) on the upstream bug says: > > RSA has confirmed that they are in possession of the private key for the "RSA Security 1024 V3" root certificate. RSA agrees that this root should be removed > from NSS. > > > > There is no recent audit for this "RSA Security 1024 V3" root certificate, > because it is no longer in use. Therefore, I will continue with the root > removal process as described in > https://wiki.mozilla.org/CA:Root_Change_Process#Remove_a_Root > There is no security issue here at all, I do not see a point in us removing it at the distro level. Security team I advise to close invalid. Mozilla team can be readded if and when a true security issue is found for nss.
Was found to not be a security issue upstream, closing.