Add CFCA EV ROOT root certificate to NSS

RESOLVED FIXED

Status

--
enhancement
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: kwilson, Unassigned)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: In NSS 3.18, Firefox 38)

Attachments

(3 attachments)

(Reporter)

Description

4 years ago
Posted file CFCAEVROOT.cert
This bug requests inclusion in the NSS root certificate store of the following certificate, owned by China Financial Certification Authority (CFCA).

Friendly Name: CFCA EV ROOT
Cert Location: https://bugzilla.mozilla.org/attachment.cgi?id=8356494
SHA-1 Fingerprint: E2:B8:29:4B:55:84:AB:6B:58:C2:90:46:6C:AC:3F:B8:39:8F:84:83
Trust Flags: Websites
Test URL: https://pub.cebnet.com.cn

This CA has been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion in bug #926029. 

The next steps are as follows:
1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate has been attached.
2) A Mozilla representative creates a patch with the new certificate, and provides a special test version of Firefox.
3) A representative of the CA uses the test version of Firefox to confirm (by adding a comment in this bug) that the certificate has been correctly imported and that websites work correctly.
4) The Mozilla representative requests that another Mozilla representative review the patch.
5) The Mozilla representative adds (commits) the patch to NSS, then closes this bug as RESOLVED FIXED.
6) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.
(Reporter)

Comment 1

4 years ago
Zhao, Please see step #1 above.
(Reporter)

Updated

4 years ago
Blocks: 1131699

Comment 2

4 years ago
Thank you Kathleen, 

(Checked)All data in this bug is correct.
(Checked)The "CFCAEVROOT.cert" in the attachment of this bug is correct.

Please move on to the next step.

Spring Festival of China(FEB 18 ~ FEB 24) is near. During this period, if there is any update, please post them here(instead of E-mail), or in the bug 
https://bugzilla.mozilla.org/show_bug.cgi?id=926029
https://bugzilla.mozilla.org/show_bug.cgi?id=1131699
I'll check everyday.

Thanks again!

Updated

4 years ago
Depends on: 1132496
Test builds of a development version of Firefox, which contain the requested change(s), can be found here:
https://ftp-ssl.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-cb8002df70cc/
This does NOT yet add EV status. Please ignore that EV is not yet enabled, and please test that the root has been correctly added.
(Reporter)

Comment 5

4 years ago
Zhao, Please test the code change as described here:
https://wiki.mozilla.org/CA:How_to_apply#Testing_Inclusion

Comment 6

4 years ago
1,Download Firefox Nightly firefox-38.0a1.en-US.win32.installer.exe from
https://ftp-ssl.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-cb8002df70cc/

2,Create New profile using “Run Firefox.exe -P”

3,Test website as attachment, Result is Correct and without EV treatment.
Attachment #8564656 - Flags: feedback+

Comment 7

4 years ago
4,The root has been correctly added, Security Device is "Builtin Object Token"
Which is correct.

5,Trust bit is website, Correct.

Test procedure follows
https://wiki.mozilla.org/CA:How_to_apply#Testing_Inclusion

The test is completed, please see the attachments, results are consistent with the description Kai Engert states.

Everything is correct.

If you need more info or test, I will provide them as soon as possible.
(Reporter)

Updated

4 years ago
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Whiteboard: In NSS 3.18, Firefox 38
You need to log in before you can comment on or make changes to this bug.