Closed
Bug 1274677
Opened 8 years ago
Closed 8 years ago
Enable Certplus and OpenTrust root certificates for EV in PSM
Categories
(Core :: Security: PSM, enhancement, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla50
Tracking | Status | |
---|---|---|
firefox50 | --- | fixed |
People
(Reporter: kwilson, Assigned: keeler)
References
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
Per bug #1025095 the request from DocuSign (OpenTrust/Keynectis) has been approved to enable the following root certificates for EV use. Please make the corresponding changes to PSM. Friendly Name: Certplus Root CA G1 SHA-1 Fingerprint: 2:FD:D0:B7:FD:A2:4E:0D:AC:49:2C:A0:AC:A6:7B:6A:1F:E3:F7:66 SHA-256 Fingerprint: 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E EV Policy OID: 1.3.6.1.4.1.22234.3.5.3.1 Test URL: https://certplusrootcag1-test.opentrust.com Friendly Name: Certplus Root CA G2 SHA-1 Fingerprint: 4F:65:8E:1F:E9:06:D8:28:02:E9:54:47:41:C9:54:25:5D:69:CC:1A SHA-256 Fingerprint: 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17 EV Policy OID: 1.3.6.1.4.1.22234.3.5.3.2 Test URL: https://certplusrootcag2-test.opentrust.com Friendly Name: OpenTrust Root CA G1 SHA-1 Fingerprint: 79:91:E8:34:F7:E2:EE:DD:08:95:01:52:E9:55:2D:14:E9:58:D5:7E SHA-256 Fingerprint: 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4 EV Policy OID: 1.3.6.1.4.1.22234.2.14.3.11 Test URL: https://opentrustrootcag1-test.opentrust.com Friendly Name: OpenTrust Root CA G2 SHA-1 Fingerprint: 79:5F:88:60:C5:AB:7C:3D:92:E6:CB:F4:8D:E1:45:CD:11:EF:60:0B SHA-256 Fingerprint: 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2 EV Policy OID: 1.3.6.1.4.1.22234.2.14.3.11 Test URL: https://opentrustrootcag2-test.opentrust.com Friendly Name: OpenTrust Root CA G3 SHA-1 Fingerprint: 6E:26:64:F3:56:BF:34:55:BF:D1:93:3F:7C:01:DE:D8:13:DA:8A:A6 SHA-256 Fingerprint: B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92 EV Policy OID: 1.3.6.1.4.1.22234.2.14.3.11 Test URL: https://opentrustrootcag3-test.opentrust.com
Reporter | ||
Comment 1•8 years ago
|
||
Remi, Please confirm that the information in this bug is correct.
Comment 2•8 years ago
|
||
The EV Policy OIDs have been verified and are correct. Test URLs and fingerprints are correct, with the same remark as in bug 1274674 regarding the SHA1 fingerprint for Certplus Root CA G1 (missing quartet).
Reporter | ||
Comment 3•8 years ago
|
||
Erwann, Thank you for pointing out the mistake in the SHA1 fingerprint of Certplus Root CA G1, which should read: SHA-1 Fingerprint: 22:FD:D0:B7:FD:A2:4E:0D:AC:49:2C:A0:AC:A6:7B:6A:1F:E3:F7:66
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → dkeeler
Whiteboard: [psm-assigned]
Assignee | ||
Updated•8 years ago
|
Priority: -- → P1
Assignee | ||
Comment 4•8 years ago
|
||
Oh - I guess this isn't ready to go until bug 1274674 lands and we update NSS in Firefox.
Priority: P1 → P3
Reporter | ||
Comment 5•8 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #4) > Oh - I guess this isn't ready to go until bug 1274674 lands and we update > NSS in Firefox. These roots have been included in NSS 3.25 and Firefox 49, so please proceed with enabling EV treatment for them. Thanks!
Assignee | ||
Updated•8 years ago
|
Priority: P3 → P1
Assignee | ||
Comment 6•8 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/64674/diff/#index_header See other reviews: https://reviewboard.mozilla.org/r/64674/
Attachment #8771564 -
Flags: review?(cykesiopka.bmo)
Assignee | ||
Comment 7•8 years ago
|
||
Kathleen, what names should I use to describe the EV OIDs? I just went with "DocuSign EV OID 1/2/3" - is that sufficient or would something else be better?
Flags: needinfo?(kwilson)
Reporter | ||
Comment 8•8 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #7) > Kathleen, what names should I use to describe the EV OIDs? I just went with > "DocuSign EV OID 1/2/3" - is that sufficient or would something else be > better? That seems fine to me. Thanks!
Flags: needinfo?(kwilson)
Updated•8 years ago
|
Attachment #8771564 -
Flags: review?(cykesiopka.bmo) → review+
Comment 9•8 years ago
|
||
Comment on attachment 8771564 [details] bug 1274677 - Enable Certplus and OpenTrust root certificates for EV in PSM https://reviewboard.mozilla.org/r/64674/#review61776 Looks good!
Assignee | ||
Comment 10•8 years ago
|
||
Thanks! Kathleen - here's a build with these changes: https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-1c7488570b2360302e6b24a9c62ff033549bcc88/try-macosx64/firefox-50.0a1.en-US.mac.dmg If you could verify that everything works as expected, that would be great.
Flags: needinfo?(kwilson)
Reporter | ||
Comment 11•8 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #10) > > Kathleen - here's a build with these changes: > https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com- > 1c7488570b2360302e6b24a9c62ff033549bcc88/try-macosx64/firefox-50.0a1.en-US. > mac.dmg > If you could verify that everything works as expected, that would be great. Tested. Working as expected. Thanks!
Flags: needinfo?(kwilson)
Assignee | ||
Comment 12•8 years ago
|
||
Great!
Assignee | ||
Comment 13•8 years ago
|
||
Comment on attachment 8771564 [details] bug 1274677 - Enable Certplus and OpenTrust root certificates for EV in PSM Review request updated; see interdiff: https://reviewboard.mozilla.org/r/64674/diff/1-2/
Assignee | ||
Comment 14•8 years ago
|
||
(That update was to fix the comments so they were consistent with the rest of the comments in the EV list.)
Comment 15•8 years ago
|
||
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/8a26f6b014e6 Enable Certplus and OpenTrust root certificates for EV in PSM r=Cykesiopka
Comment 16•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/8a26f6b014e6
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox50:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in
before you can comment on or make changes to this bug.
Description
•