Last Comment Bug 707995 - Add EC-ACC certificate to NSS
: Add EC-ACC certificate to NSS
Status: RESOLVED FIXED
:
Product: NSS
Classification: Components
Component: CA Certificates Code (show other bugs)
: trunk
: All All
-- enhancement (vote)
: ---
Assigned To: nobody
:
:
Mentors:
Depends on:
Blocks: 295474 711829
  Show dependency treegraph
 
Reported: 2011-12-06 10:39 PST by Kathleen Wilson
Modified: 2012-02-09 08:28 PST (History)
3 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
CATCert Root Cert (1.34 KB, application/x-x509-ca-cert)
2011-12-06 10:39 PST, Kathleen Wilson
no flags Details

Description User image Kathleen Wilson 2011-12-06 10:39:39 PST
Created attachment 579366 [details]
CATCert Root Cert

This bug requests inclusion in the NSS root certificate store of the following certificate, owned by CATCert.

Friendly name: EC-ACC
Certificate location: http://www.catcert.net/descarrega/acc.crt
SHA1 Fingerprint: 28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8
Trust flags: Websites
Test URL: https://seuelectronica.upc.edu/

This CA has been assessed in accordance with the Mozilla project guidelines, and the certificate approved for inclusion in bug #295474.

The steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate has been attached.

2) A Mozilla representative creates a patch with the new certificate, and provides a special test version of Firefox.

3) A representative of the CA uses the test version of Firefox to confirm (by adding a comment in this bug) that the certificate has been correctly imported and that websites work correctly.

4) The Mozilla representative requests that another Mozilla representative review the patch.

5) The Mozilla representative adds (commits) the patch to NSS, then closes this bug as RESOLVED FIXED.

6) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate(s). This process is mostly under the control of the release drivers for those products.
Comment 1 User image Kathleen Wilson 2011-12-06 10:42:28 PST
Manuel, Please see step #1 above.
Comment 2 User image Manel Rella 2011-12-07 00:42:29 PST
(In reply to Kathleen Wilson from comment #1)
> Manuel, Please see step #1 above.

Hi Kathleen, we confirm that the information of the root CATCert certificate is correct. Another URL test could be:  https://seu.catcert.cat 
Thank you
Comment 3 User image Kathleen Wilson 2011-12-08 11:05:30 PST
Thanks for confirming that the data in this bug is correct.

Root inclusions are usually grouped and done as a batch when there is
either a large enough set of changes or about every 3 months.

At some point in the next 3 months a test build will be provided and this bug
will be updated to request that you test it. Since you are cc'd on this bug,
you will get notification via email when that happens.
Comment 4 User image Kai Engert (:kaie:) 2011-12-20 12:33:47 PST
A test version of Firefox is available at https://kuix.de/mozilla/tryserver-roots-20111218/
This test build contains your new root(s).

TODO, in this bug, please confirm that your root has been correctly added.

In particular check the correct trust flags (in cert manager you can use "edit trust" to view the trust settings you've received).

Please note this build is based on a nightly development/test version of Firefox. It might be unstable and have bugs. Please be careful. 
It's best to use a "fresh, empty profile", for your testing. (Search the web how to use separate profiles, start the profile manager, with Firefox). 
This is also recommended to make sure you're not testing your own certificate database, but really this software with the embedded certs.
Comment 5 User image Manel Rella 2011-12-21 09:40:25 PST
From CATCert we have validated OK the 4 test Firefox versions following your instructions. Thank you.
Comment 6 User image Kai Engert (:kaie:) 2012-01-17 14:04:04 PST
Will be fixed in NSS 3.13.2
Comment 7 User image Adam Langley 2012-01-30 10:22:02 PST
I believe that this including this root certificate is a mistake: the serial number on the certificate is negative. This happens to be possible with ASN.1, but isn't permitted in a certificate:

"The serial number MUST be a positive integer."

http://tools.ietf.org/html/rfc5280#section-4.1.2.2

More importantly, making glaring mistakes in a root certificate doesn't inspire confidence in the practices of the CA.
Comment 8 User image Kathleen Wilson 2012-01-30 17:27:02 PST
(In reply to Adam Langley from comment #7)
> I believe that this including this root certificate is a mistake: the serial
> number on the certificate is negative. 

This was discussed at great length in the mozilla.dev.security.policy discussion forum.

https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/pOUJJFJdP_4
From posting on 23/08/2011: "The fact is that our root CA created in 2003 is not accomplishing that point because in design time was used the RFC2459  that didn't have this requirement about serial numbers. Anyway it is specified in RFCs 3280 and 5280  that "Certificate users SHOULD be prepared to gracefully handle such certificates", so the practical experience is that we have not been reported yet for any interoperability problems caused by this issue. Furthermore we are planning to create another root certificate during 2012 with SHA-256 algorithm, so we will take special care at this point."
Comment 9 User image Manel Rella 2012-02-09 08:28:06 PST
Hi, is there an approximated date to have included the root certificate of CATCert in a final version of Firefox? 
Thank you!

Note You need to log in before you can comment on or make changes to this bug.