Closed Bug 1021967 Opened 9 years ago Closed 9 years ago

June 2014 batch of root CA changes

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Version:
3.16.3
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.16.3

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Attachments

(2 files)

patch v1
188.53 KB, patch
rrelyea
: review+
kwilson
: feedback+
Details | Diff | Splinter Review
WoSign_two_roots_work well in Mozzila Nightly.JPG
57.17 KB, image/jpeg
Details 
June 2014 batch of root CA changes
Attached patch patch v1Splinter Review 
Kathleen, do you think I did everything correctly?

The try build is running at https://tbpl.mozilla.org/?tree=Try&rev=394c2eeb9793
When done in a few hours, the build should appear here:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/
(will be the only directory containing "kaie" and with "394c2eeb9793").

If you think the patch looks good, could you please ask CAs for feedback?
Thanks
Assignee: nobody → kaie
Attachment #8436098 - Flags: feedback?(kwilson)
WoSign two roots work well in Nightly. The first screenshot is for test site: https://root1evtest.wosign.com, the second is for test site: https://root2evtest.wosign.com, and the third is for real website: https://www.wosign.com that its certificate cross signed with UTN SGC root.
But two EV test site don't display greenbar.
I think everything is correct including the friendly name, thanks.
(In reply to Kai Engert (:kaie) from comment #1)
> Created attachment 8436098 [details] [diff] [review]
> patch v1
> 
> Kathleen, do you think I did everything correctly?

Yes. I reviewed the code changes, and they all look correct.

> 
> The try build is running at
> https://tbpl.mozilla.org/?tree=Try&rev=394c2eeb9793
> When done in a few hours, the build should appear here:
> http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/
> (will be the only directory containing "kaie" and with "394c2eeb9793").


I tested each bug with the try build, and all works as expected.


> 
> If you think the patch looks good, 

Looks good!

> could you please ask CAs for feedback?

Will do.

Thanks!
Kathleen
Comment on attachment 8436098 [details] [diff] [review]
patch v1

Review of attachment 8436098 [details] [diff] [review]:
-----------------------------------------------------------------

Code changes look correct, and testing is complete.

Thanks!
Attachment #8436098 - Flags: feedback?(kwilson) → feedback+
Comment on attachment 8436098 [details] [diff] [review]
patch v1

Bob, could you please review the patch?
Attachment #8436098 - Flags: review?(rrelyea)
FYI, I've noticed that some consumers pick up our root CA changes whenever we make a change - even if we haven't released them as part of NSS yet.

So, I want to increase the version number each time I make a larger set of changes.

This time there's risk that we MIGHT have to undo some removals in the last minute. I didn't like the idea to use version 2.00 for a release that undoes changes. This is simply cosmetic. That's why I'm increasing the version to 2.00 (not 1.99), and a potential backout would then be 2.01
Comment on attachment 8436098 [details] [diff] [review]
patch v1

Review of attachment 8436098 [details] [diff] [review]:
-----------------------------------------------------------------

r+ rrelyea looks good kai
Attachment #8436098 - Flags: review?(rrelyea) → review+
Whiteboard: postponed until July 1st
Blocks: 1029561
Target Milestone: --- → 3.16.3
Checked in to NSS_3_16_3_PLUS_BRANCH
https://hg.mozilla.org/projects/nss/rev/d936c1e1c51e
...
Whiteboard: postponed until July 1st
  1.2534 +# Trust for "WoSign China"
  1.2535 +# Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN
You don't enter the Chinese for Common name, is it OK?
checked to to default branch (NSS trunk)
https://hg.mozilla.org/projects/nss/rev/587c939f0490
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
(In reply to Richard Wang from comment #10)
>   1.2534 +# Trust for "WoSign China"
>   1.2535 +# Issuer: CN=CA ...............,O=WoSign CA Limited,C=CN
> You don't enter the Chinese for Common name, is it OK?

This part of the file is an automatic source code comment.
The fact, that special characters are excluded, don't affect the runtime behaviour.

Search that file for other root CAs with special characters, for example, search for TURKTRUST. You'll see that their special characters in that file got replaced with ".", too.
Thanks, Kai.
See Also: → 592984
Blocks: 1052099
You need to log in before you can comment on or make changes to this bug.