Closed Bug 59161 Opened 24 years ago Closed 23 years ago

Check in all root certs, if possible

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
Future

People

(Reporter: BenB, Assigned: bugz)

References

Details

(Whiteboard: PDT+, needs a=, critical for 0.9.2)

Attachments

(2 files)

patch to add remaining roots from 4.x to mozilla
115.81 KB, patch
Details | Diff | Splinter Review
updated patch includes changes to USPS roots, and has both certdata.c and certdata.txt
115.81 KB, patch
Details | Diff | Splinter Review 
Reproduce:
1. Build psm.xpi with |make build_xpi| (see build instructionos)
2. Install the xpi in a fresh (open-source) Mozilla nightly build, fresh profile
3. Visit <https://services.db-privatebanking.de>

Actual result:
A warning dialog pops up, saying that the CA for the certificate is not
recognized. View the certificate to see that it is issued by "Verisign Trust
Network".

Expected result:
Since Verisign and Thawte seem to agree to the distribution of their certs (see
<http://lxr.mozilla.org/mozilla/security/nss/lib/ckfw/builtins/certdata.txt>),
all Verisign and Thawte certs are recognized.

Additional Comments:
Please check in all of them into the Mozilla tree ASAP (i.e. beofre N6
shipment), or tell me how to convert the certs into the certdata.txt format, so
I can fix it myself. This is a blocker for me - shipping PSM without reasonable
root certs is practically impossible.

I do use the builtin root certs - No warning on <https://admin.he.net> (issued
by Thawte.
eh, wrong summary, correcting.
Summary: Root certs lib not shipped → Check in all root certs, if possible
I got completely confused - sorry. You need the patch for bug 59162 - otherwise,
*no* cert will be recognized, not even that for he.net.
Blocks: Beonex
Ian fixed the first part of it, reassigning to him (reassign to
<relyea%netscape.com>, when (s)he is back).

The site mentioned in the reproduction now works. Thanks Ian.

Checked in are:
- VeriSign/Thawte
- TC Trustcenter
- GlobalSign/BelSign

Leaving open, since there are still lots of certs (all from digsigtrust and many
smaller CAs) missing.
Assignee: lord → mcgreer
Component: Daemon → Libraries
Product: PSM → NSS
Version: 1.4 → 3.1
Filed bug 59614 about making the tool for creating certdata.txt publically
available.
QA Contact: nitinp → junruh
Ian, have we checked in all the root certs?  Can this
be done in NSS 3.2 time frame?
Target Milestone: --- → 3.2
Already in:
- Verisign (thousands of times)
- Thawte
- TC Trustcenter
- GlobalSign/BelSign
- ValiCert

The following ones are missing (we have OK to check in):
- Deutsche Telekom (T-TeleSec)
- Entrust

No response so far from (available in 4.x, not yet checked into Mozilla, I
mailed them, no response, legal status unclear):
- DigSigTrust
- Equifax
- Baltimore

Not contacted (available in 4.x, not yet checked into Mozilla, I didn't mail
them yet, because of missing contact info):
- GTE Cybertrust
- E-Certify
- possibly others

Didn't check Netscape 6, if there are new certs we should distribute, too.
Severity: blocker → major
Have checked in Entrust and Deutsche Telekom.

marking as future, will watch this bug as more approvals come in.

I think Baltimore is under the new contract, so they can be checked in...
Target Milestone: 3.2 → Future
Keywords: mozilla1.0
No longer blocks: Beonex
*** Bug 83847 has been marked as a duplicate of this bug. ***
r=javi
rs=blizzard
-> P1
Priority: P3 → P1
Whiteboard: PDT+, needs a=
a=blizzard on behalf of drivers for 0.9.2
Whiteboard: PDT+, needs a= → PDT+, needs a=, critical for 0.9.2
last set of roots checked in 6/20
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: