1113048 - https://www.electrabel.be and https://www.partenamut.be chain up to the GTE CyberTrust Global Root

Status: RESOLVED FIXED

(Web Compatibility :: Site Reports, defect)

Description

[apropostech]

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0
Build ID: 20141217004003




Expected results:

Version: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:36.0) Gecko/20100101 Firefox/36.0

Certipost certificates are recognised in the release version (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:34.0) Gecko/20100101 Firefox/34.0) but not in FirefoxDeveloperEdition.

Comment 1

[apropostech]

The issue can be seen on https://www.electrabel.be/ and https://www.partenamut.be/ as well as probably many Belgian sites with a government connection.

Comment 2

[Loic]

Regression range:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=38ecfc3922b8&tochange=e8df6826a571

Maybe due to:
David Keeler — bug 940506 - remove nsIRecentBadCerts and implementation r=briansmith

Comment 3

[Dana Keeler (she/her) [:keeler]]

Looks like these sites are depending on the GTE CyberTrust Global Root, which is essentially deprecated. Bug 1088147 removed it for the second time (bug 1029561 removed it the first time, but then it was added back in bug 1046343). Kathleen, can we get in touch with the CA these sites are using so they can help them send the right intermediates?

Comment 4

[Kathleen Wilson]

Steven, These Certipost folks are still chaining up to the GTE CyberTrust Gobal Root, which is being removed in Firefox 36.

Comment 5

[apropostech]

Thanks for the info.

I sent a message explaining the issue to both Bpost (the Belgian postal service behind Certipost) and the @certipost.be email address provided in their certificate. Hopefully they will quickly get in touch with their customers to sort this out.

Comment 6

[:Gijs (out until Jan 5th; he/him)]

David, is there any point at which we're going to re-introduce them a second time if not enough servers have been updated? :-(

Comment 7

[Dana Keeler (she/her) [:keeler]]

(In reply to :Gijs Kruitbosch from comment #6)
> David, is there any point at which we're going to re-introduce them a second
> time if not enough servers have been updated? :-(

We would rather avoid doing that. Let's try to get in touch with these sites to see if we can help them update their configuration.

Steven, have you had any success reaching out to your customers that are still using deprecated intermediate certificates?

Comment 8

[Steven Medin]

Certipost were aware of the need to replace GTE-based subordinates in the distant past, we first broadcasted our 1024-bit deprecation strategy to customers in early 2011.  Organizational changes led to the action lagging to this point.  Subordinate CAs for Certipost under our mainstream Baltimore CyberTrust Global Root were created in October 2013.  Our operations team is finalizing the updated name constraint content of a new set of subordinates to be issued in the near future and distributed.  These will be chain-pluggable substitutes for the existing CAs under the GTE root that reuse the previous PKCS#10s to expedite field replacement and avoid end entity re-enrollment.

A similar story carries across each lagging customer, as we've been banging the drum for years.  It is often a quantity of certificates versus current staffing level to replace the certificates obstacle caused by downsizing from heyday PKI team sizes.

Comment 9

[:Cykesiopka]

Both of these sites now chain up to different roots.