Closed Bug 1366243 Opened 7 years ago Closed 7 years ago

Turn off Code Signing trust bit for all included root certs

Categories

(NSS :: CA Certificates Code, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: rob, Unassigned)

References

Details

~18 months ago, Kathleen wrote [1]:

"I feel confident now that we should do the following:
...
After version 2.3 of the policy is published and the change has been properly communicated (CA Communication, security blog, press regarding the policy update), turn off the Code Signing trust bits for included root certs, and remove any root certs that are left will all trust bits turned off."

This hasn't yet been done, but ISTM that there's no reason not to do it now.


[1] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02409.html
Assuming I've parsed certdata.txt correctly, there are 2 built-in root certs that should be removed since they're only enabled for CKA_TRUST_CODE_SIGNING:

ComSign Secured CA
https://crt.sh/?id=25533

UTN-USERFirst-Object
https://crt.sh/?id=17811155
Thanks for the reminder. I filed Bug #1366403 and Bug #1366412 to remove those root certs.

Is there anything else we need to track in this bug?
Kathleen: If you're good with the removal, then the next step is to remove the CKA_TRUST_CODE_SIGNING attribute from all the roots. Rob's just pointed out the ones that are _only_ trusted for code signing :)
Kai and Keeler,

We can do the following with this bug:

1) Turn off the Code Signing trust bit for all root certs

or

2) Remove CKA_TRUST_CODE_SIGNING altogether.

I think you developers will have better insight into the best approach here.
Depends on: 1366403, 1366412
Summary: Remove CKA_TRUST_CODE_SIGNING trust attributes / root certificates → Remove CKA_TRUST_CODE_SIGNING trust attributes
I'm assuming NSS as a project would still want to support clients marking their own roots as trusted for code signing, so I believe option 1 (just turning off the trust bit) would be best here.
Sounds good. Updating title, and I will add this to my list for the July batch of root changes. Thanks!
Summary: Remove CKA_TRUST_CODE_SIGNING trust attributes → Turn off Code Signing trust bit for all included root certs
Depends on: 1380941
Patch and testing information is in Bug #1380941.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.32
You need to log in before you can comment on or make changes to this bug.