February 2015 batch of root CA changes

RESOLVED FIXED in 3.18

Status

task
RESOLVED FIXED
5 years ago
2 years ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

3.18
3.18
x86_64
Linux
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

February 2015 batch of root CA changes
Posted patch patch v1Splinter Review
Blocks: 1132689
Thanks Kai!

I reviewed the patch, and it is as requested. I also successfully verified the changes in the test build.

I've requested that the CAs also test.
"Distrust a pb.com certificate that does not comply with the baseline requirements."
Do we need this after the Equifax root removal?
Thinking about it, this was added in bug 966350. In retrospect, IMO we shouldn't have cared about the 1024-bit cert that was directly issued from a 1024-bit root that was going to be removed after 2013 anyway.
And there is nothing unusual about the issue and expiration date either. I think that GeoTrust/RapidSSL definitely sold 5 year certificate even in 2010.
(In reply to Kathleen Wilson from comment #3)
> Thanks Kai!
> 
> I reviewed the patch, and it is as requested. I also successfully verified
> the changes in the test build.
> 
> I've requested that the CAs also test.

The CAs have successfully completed their testing.

So, this patch is ready for official code review, etc.

Thanks!
Attachment #8563480 - Flags: review?(rrelyea)
Attachment #8563480 - Flags: review?(rrelyea) → review+
https://hg.mozilla.org/projects/nss/rev/484e72583add
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Yuhong Bao,
if you think there is need for discussing your questions, I suggest you could post to the mozilla.dev.security.policy list.
(This bug is to track action that have already been decided on that list.)
Thanks
Blocks: 1137470
Blocks: 1138716
You need to log in before you can comment on or make changes to this bug.