252132 - Add Comodo CA certs to NSS

Status: VERIFIED FIXED

(NSS :: Libraries, enhancement, P2)

Description

[Frank Hecker]

Per the discussion in bug 249710 I've approved adding CA certs for Comodo Group.
There are three certs (for AAACertificateServices, SecureCertificateServices,
and TrustedCertificateServices); see the entry for Comodo Group in
<http://www.hecker.org/mozilla/ca-certificate/list/> or go directly to
<http://www.comodogroup.com/repository/>. All three certs should have trust bits
marked to "all".

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

Frank, I get error 404 on the hecker.org URL cited above.

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

Taking.  All Frank's other bugs like this are assigned to me, and I have
patches for them.  Might as well take this one too.  

Comment 3

[Frank Hecker]

(In reply to comment #1)
> Frank, I get error 404 on the hecker.org URL cited above.

Sorry, forgot to correct this earlier; the correct URL is:

  http://www.hecker.org/mozilla/ca-certificate-list/

Comment 4

[Nelson Bolyard (seldom reads bugmail)]

Attachment: patch v1

This patch depends on the patch for bug 242040 being applied first. 
This patch is supplemental to that one.

Comment 5

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 155331 [details] [diff] [review]
patch v1 

Julien, please review.
Remember that this patch has two prerequisite patches, neither of which is yet
checked in.

Comment 6

[Nelson Bolyard (seldom reads bugmail)]

This has been checked in on the trunk for NSS 3.10.
So, I am marking this bug fixed.  We may also choose to 
port this enhancement back to NSS 3.9.x.  

Comment 7

[Nelson Bolyard (seldom reads bugmail)]

Attachment: patch for NSS 3.9 branch

This patch brings the NSS 3.9 branch up to parity with the trunk (NSS 3.10)
with respect to the root CAs.  That is, it adds to the 3.9 branch all the
CA certs that were added to the trunk just a week or two ago.  

With this patch applied to the 3.9 branch, the main differences in nssckbi
between the 3.9 branch and the trunk are 
a) the minor version number (4x for 3.9, 5x for the trunk)
b) the absense/presence of Ian's fix for SSL-StepUp trust flags.  

Otherwise, the certs and trust flags are the same.  

I would like to check this in for NSS 3.9.3, in hopes that firefox 1.0 RTM
will pick up NSS 3.9.3, and therefore support these new CAs in the 1.0
release.  

So, Wan-Teh or Julien, please review this patch for 3.9 with all due haste.

Comment 8

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 158948 [details] [diff] [review]
patch for NSS 3.9 branch

Wan-Teh please read the comments about this patch in the bug, above, and then
review this patch.  I'd like to see this patch get into firefox 1.0

Comment 9

[Wan-Teh Chang]

Comment on attachment 158948 [details] [diff] [review]
patch for NSS 3.9 branch

Nelson, I like your changes to nssckbi.h.

I need to sit down with you to review the
trust flags for these new CAs.

We should also find out how to get these
new CAs into the next Mozilla 1.7.x release.

Comment 10

[Wan-Teh Chang]

Comment on attachment 158948 [details] [diff] [review]
patch for NSS 3.9 branch

r=wtc.

Comment 11

[Nelson Bolyard (seldom reads bugmail)]

Checked in on the 3.9 branch.
Checking in builtins/certdata.c;   new revision: 1.27.16.1; previous 1.27
Checking in builtins/certdata.txt; new revision: 1.28.16.1; previous 1.28
Checking in builtins/nssckbi.h;    new revision: 1.6.16.2;  previous 1.6.16.1

Comment 12

[Wan-Teh Chang]

Verified with Firefox 1.0.2 that Comodo AAA Certificate
Services, Secure Certificate Services, and Trusted Certificate
Services root CA certs are in the "Builtin Object Token"
with the following trust settings:
This certificate can identify web sites.
This certificate can identify mail users.
This certificate can identify software makers.