Closed
Bug 1366243
Opened 7 years ago
Closed 7 years ago
Turn off Code Signing trust bit for all included root certs
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(Not tracked)
RESOLVED
FIXED
3.32
People
(Reporter: rob, Unassigned)
References
Details
~18 months ago, Kathleen wrote [1]: "I feel confident now that we should do the following: ... After version 2.3 of the policy is published and the change has been properly communicated (CA Communication, security blog, press regarding the policy update), turn off the Code Signing trust bits for included root certs, and remove any root certs that are left will all trust bits turned off." This hasn't yet been done, but ISTM that there's no reason not to do it now. [1] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02409.html
Reporter | ||
Comment 1•7 years ago
|
||
Assuming I've parsed certdata.txt correctly, there are 2 built-in root certs that should be removed since they're only enabled for CKA_TRUST_CODE_SIGNING: ComSign Secured CA https://crt.sh/?id=25533 UTN-USERFirst-Object https://crt.sh/?id=17811155
Comment 2•7 years ago
|
||
Thanks for the reminder. I filed Bug #1366403 and Bug #1366412 to remove those root certs. Is there anything else we need to track in this bug?
Comment 3•7 years ago
|
||
Kathleen: If you're good with the removal, then the next step is to remove the CKA_TRUST_CODE_SIGNING attribute from all the roots. Rob's just pointed out the ones that are _only_ trusted for code signing :)
Comment 4•7 years ago
|
||
Kai and Keeler, We can do the following with this bug: 1) Turn off the Code Signing trust bit for all root certs or 2) Remove CKA_TRUST_CODE_SIGNING altogether. I think you developers will have better insight into the best approach here.
I'm assuming NSS as a project would still want to support clients marking their own roots as trusted for code signing, so I believe option 1 (just turning off the trust bit) would be best here.
Comment 6•7 years ago
|
||
Sounds good. Updating title, and I will add this to my list for the July batch of root changes. Thanks!
Summary: Remove CKA_TRUST_CODE_SIGNING trust attributes → Turn off Code Signing trust bit for all included root certs
Comment 7•7 years ago
|
||
Patch and testing information is in Bug #1380941.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.32
Blocks: 1397837
You need to log in
before you can comment on or make changes to this bug.
Description
•