Closed Bug 418907 Opened 17 years ago Closed 16 years ago

Add Trustwave SecureTrust CA and Secure Global CA root CA certificates to NSS

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: hecker, Assigned: KaiE)

References

Details

Attachments

(3 files)

Trustwave SecureTrust CA certificate
1.32 KB, application/x-x509-ca-cert
Details
Trsutwave Secure Global CA certificate
1.32 KB, application/x-x509-ca-cert
Details
preliminary code
11.90 KB, patch
Details | Diff | Splinter Review 
his bug requests inclusion in the NSS root certificate store of the following two root CA certificates, owned by Trustwave:

1) Friendly name: "SecureTrust CA"
   SHA-1 fingerprint:
87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11
   Trust flags: Web sites, Object signing
   URL:
https://www.securetrust.com/legal/STCA.txt

2) Friendly name: "Secure Global CA"
   SHA1 Fingerprint:
3A:44:73:5A:E5:81:90:1F:24:86:61:46:1E:3B:9C:C4:5F:F5:3A:1B
   Trust flags: Web sites, Email, Object signing
   URL:
https://www.securetrust.com/legal/SGCA.txt

The certificate(s) themselves will be attached momentarily, as downloaded from
the URLs above and verified using the stated fingerprints.

The SecureTrust CA and Secure Global CA have been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion per bug 409837 and bug 409838.

The remaining steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a
version of NSS which contains the certificate(s). This process is mostly under
the control of the release drivers for those products.

    
    

    
  


  

    
  
Blocks: 418910

    
  
Assignee: nobody → kengert

    
    

    
  

      
      
      
      

        Attached patch
          
          
        preliminary codeSplinter Review
      

    


  
No patch yet, I hope to combine the work for this patch with additional CA inclusions (soon), but here is what I already produced for testing, so it saves me some work later.

addbuiltin -n "SecureTrust CA" -t C,,C < p-418907-ca1.der >> mozilla/security/nss/lib/ckfw/builtins/certdata.txt

addbuiltin -n "Secure Global CA" -t C,C,C < p-418907-ca2.der >> mozilla/security/nss/lib/ckfw/builtins/certdata.txt

    
  
Depends on: 425469

    
    

    
  
Dear Trustwave representatives, you have not yet confirmed the information listed in this bug is correct.

I went ahead and included your certificate in a test build anyway.
Please read bug 425469 comment 3 to find the binary roots module for testing and follow Frank's requests given in this tracking bug.

Adding your roots to Mozilla/NSS is blocked pending your confirmation that everything is correct.

Please do not forget to verify the trust flags are correct.


    
    

    
  
Kai -
Sorry for the delay.  All seems to be good technically, but would it be possible to group the three Trustwave CAs under Trustwave as opposed to where it is currently:
1)secureglobal CA (SGCA) and securetrust CA (STCA) under securetrust 2)xramp CA (XGCA) under xramp

Have it as:
Trustwave
--(SGCA)
--(STCA)
--(XGCA)

"XRamp Security Services, Inc.", is a successor to SecureTrust corporation, a wholly owned subsidiary of Trustwave Holdings, Inc. ("Trustwave").  Neither XRamp or Securetrust legally exist anymore.

Rgds,
Andrew


    
    

    
  
Andrew, are you referring to the order as displayed within certificate manager?
Sorry, but that order isn't manual. It's automatically created based on the O= (if I remember correctly) or some other field.


    
    

    
  
Andrew, in comment 5 you said:

> All seems to be good technically

I assume you're saying:
- all information in this bug is correct
- you have tested the binary
- the binary works as desired
- we can go ahead and add the roots

Please speak up if I'm wrong.


    
    

    
  
I said "All seems to be good technically" which means yes to all 4 bullets.

What I was hoping in response to 3-31 09:54 was that the three Trustwave roots would be blocked underneath a "Trustwave" heading, much as all of Verisigns Class 1-n is blocked under "Verisign" within certificate manager.  In a quick look, it appears that all are blocked by the "O=", so if it cant be done - then "oh, well" - it is no show stopper.

ag 

    
    

    
  
This root was added to NSS for version 3.12 with a checkin noted in bug 425469.
Marking fixed.

Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED

    
  
Target Milestone: --- → 3.12

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: