1132496 - February 2015 batch of root CA changes

Status: RESOLVED FIXED

(NSS :: CA Certificates Code, task)

Description

[Kai Engert (:KaiE:)]

February 2015 batch of root CA changes

Comment 1

[Kai Engert (:KaiE:)]

Attachment: patch v1

Comment 2

[Kai Engert (:KaiE:)]

Comment on attachment 8563480 [details] [diff] [review]
patch v1

Test build using this patch:
https://ftp-ssl.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-cb8002df70cc/

Comment 3

[Kathleen Wilson]

Thanks Kai!

I reviewed the patch, and it is as requested. I also successfully verified the changes in the test build.

I've requested that the CAs also test.

Comment 4

[Yuhong Bao]

"Distrust a pb.com certificate that does not comply with the baseline requirements."
Do we need this after the Equifax root removal?

Comment 5

[Yuhong Bao]

Thinking about it, this was added in bug 966350. In retrospect, IMO we shouldn't have cared about the 1024-bit cert that was directly issued from a 1024-bit root that was going to be removed after 2013 anyway.

Comment 6

[Yuhong Bao]

And there is nothing unusual about the issue and expiration date either. I think that GeoTrust/RapidSSL definitely sold 5 year certificate even in 2010.

Comment 7

[Kathleen Wilson]

(In reply to Kathleen Wilson from comment #3)
> Thanks Kai!
> 
> I reviewed the patch, and it is as requested. I also successfully verified
> the changes in the test build.
> 
> I've requested that the CAs also test.

The CAs have successfully completed their testing.

So, this patch is ready for official code review, etc.

Thanks!

Comment 8

[Kai Engert (:KaiE:)]

https://hg.mozilla.org/projects/nss/rev/484e72583add

Comment 9

[Kai Engert (:KaiE:)]

Yuhong Bao,
if you think there is need for discussing your questions, I suggest you could post to the mozilla.dev.security.policy list.
(This bug is to track action that have already been decided on that list.)
Thanks