1017262 - Remove Code Signing trust bit from VeriSign Class 2 roots

Status: RESOLVED FIXED

(NSS :: CA Certificates Code, task)

Description

[Rick Andrews]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20140506152807

Steps to reproduce:

Mozilla's trust store currently contains these certificates:
"VeriSign Class 2 Public PCA – G2"
SHA-1: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D

"VeriSign Class 2 Public PCA - G3"
SHA-1: 61:EF:43:D7:7F:CA:D4:61:51:BC:98:E0:C3:59:12:AF:9F:EB:63:11

Their trust bits are Email, Code. Please remove the "Code" trust bit from both roots.
 


Actual results:

n/a


Expected results:

n/a

Comment 1

[Kathleen Wilson]

A Test Build with these changes has been created as part of Bug #1021967.
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-394c2eeb9793/

I have already checked/tested it, but you are all welcome to check it too.

Comment 2

[Kai Engert [:KaiE:]]

fixed as part of bug 1021967

Comment 3

[Kai Engert [:KaiE:]]

This comment is purely for documenting something I looked up.

The code signing trust bit removal from
  sha1 = B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D
had been requested in bug 986005, too, so this bug is a half-duplicate of that other bug.
This is a 1024-bit key certificate.

The other certificate with
  sha1 = 61:EF:43:D7:7F:CA:D4:61:51:BC:98:E0:C3:59:12:AF:9F:EB:63:11
has a 2048-bit key, which means this trust bit removal wasn't done as part of phasing out 1024-bit keys.