CA certificate removed in NSS 3.16.3 still needed

RESOLVED WONTFIX

Status

NSS
CA Certificates Code
RESOLVED WONTFIX
4 years ago
4 years ago

People

(Reporter: Craig Leres, Assigned: Kathleen Wilson)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 20140804150629

Steps to reproduce:

A number of our ldaps dependent services stopped working after upgrading NSS from 3.16.1 to 3.16.3. We were able to track this down to this change:

    
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.16.3_release_notes

    Notable Changes in NSS 3.16.3
        - The following 1024-bit CA certificates were Removed
	    OU = ValiCert Class 2 Policy Validation Authority
		SHA1 Fingerprint: 31:7A:2A:D0:7F:2B:33:5E:F5:A1:C3:4E:4B:57:E8:B7:D8:F1:FC:A6

This ca was used to sign the ValiCert ssl cert used with identity.lbl.gov, which is a 10 year cert that is now only 5 years old.


Actual results:

Example error message:

    LDAP service down: ldaps://identity.lbl.gov/


Expected results:

We'd like to understand why this specific ca was removed from the nss bundle and if it's possible to put it back in.

Comment 1

4 years ago
Hi Craig,

NSS is in the process of removing legacy root certificates, including those with keys that are likely to be deprecated in the future (1024-bit RSA keys)

The bug tracking this particular effort was https://bugzilla.mozilla.org/show_bug.cgi?id=936304 , with the overall bug being https://bugzilla.mozilla.org/show_bug.cgi?id=881553

You can see the owner of this certificate requested it's removal in July, 2013 - https://bugzilla.mozilla.org/show_bug.cgi?id=881553#c11

The CAs owning these certificates have been attempting to reach out to their customers and ensure they are aware of the changes and have alternatives. I suspect that if you contact them, they will be able to provide you with a proper chain, one that is supported by the CA and follows modern cryptographic best practices.

It's not something that the NSS dev team are considering adding back in, especially since the CA indicated they were prepared for this certificate to be removed in Q1 2014, and now it's nearly Q4.

Updated

4 years ago
Assignee: nobody → kwilson

Comment 2

4 years ago
Kathleen, should this be marked WONTFIX?
(Assignee)

Comment 3

4 years ago
Hi Craig,

I apologize for this inconvenience. 

The ValiCert Class 2 root cert can be downloaded from here:
https://certificates.godaddy.com/repository

There is also a link on that page called: "How to report a certificate problem"
Perhaps you can reach out to GoDaddy to find out the best solution for your situation.

I am closing this bug as "WONTFIX", because we do not plan to add this legacy 1024-bit root back to NSS.

Regards,
Kathleen
Status: UNCONFIRMED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.