Created attachment 8596092 [details] SZAFIRROOTCA.cert This bug requests inclusion in the NSS root certificate store of the following certificate, owned by Krajowa Izba Rozliczeniowa S.A. (KIR). Friendly Name: SZAFIR ROOT CA Cert Location: http://www.elektronicznypodpis.pl/certyfikaty/root_ca.crt SHA-1 Fingerprint: D3:EE:FB:CB:BC:F4:98:67:83:86:26:E2:3B:B5:9C:A0:1E:30:5D:B7 Trust Flags: Code; Email; Websites Test URL: https://ssl.elektronicznypodpis.pl This CA has been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion in Bug #817994. The next steps are as follows: 1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate has been attached. 2) A Mozilla representative creates a patch with the new certificate, and provides a special test version of Firefox. 3) A representative of the CA uses the test version of Firefox to confirm (by adding a comment in this bug) that the certificate has been correctly imported and that websites work correctly. 4) The Mozilla representative requests that another Mozilla representative review the patch. 5) The Mozilla representative adds (commits) the patch to NSS, then closes this bug as RESOLVED FIXED. 6) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.
Przemyslaw, Please see step #1 above.
I confirm that all the data in this bug is correct, and that the correct certificate has been attached. Przemysław Rawa
Thanks for confirming that the data in this bug is correct. Root inclusions are usually grouped and done as a batch when there is either a large enough set of changes or about every 3 months. At some point in the next 3 months a test build will be provided and this bug will be updated to request that you test it. Since you are cc'd on this bug, you will get notification via email when that happens.
Przemyslaw, we are running into Bug #1139205 with this root -- serial number is too long. Is there a version of this root that does not have this problem?
Przemysław, From https://bugzilla.mozilla.org/show_bug.cgi?id=1175227#c7 "It seems the SZAFIR certificate is using a serial number that's too long. I'd like to also mention that it's using a SHA1 self-signature. If the CA refreshes their root, maybe they should consider to use a SHA256 signature." When you have updated the root certificate and tested it, please attach it to this bug.
(In reply to Kathleen Wilson from comment #5) > Przemysław, From https://bugzilla.mozilla.org/show_bug.cgi?id=1175227#c7 > "It seems the SZAFIR certificate is using a serial number that's too long. > I'd like to also mention that it's using a SHA1 self-signature. If the CA > refreshes their root, maybe they should consider to use a SHA256 signature." We just finished discussing this in the NSS call, and there is no need to update the signature, because NSS does not check it for root certificates. So, please just provide an updated cert to fix the serial number issue.
To be clear, we are only asking you to regenerate the public key/certificate that will be used in the NSS root store. We are not asking you to regenerate the private key. So, please regenerate a new certificate with a serial number that is less than 20 bytes and that has a not-before date slightly newer than the original certificate. So if both the original and new certificates happen to be imported, NSS will choose the new certificate that it can properly handle.
Created attachment 8696729 [details] SZAFIRROOTCA2.cert Attaching the replacement root cert, that has a serial number less than 20 bytes. Updated information: Friendly Name: SZAFIR ROOT CA2 Cert Location: http://www.elektronicznypodpis.pl/certyfikaty/root_ca2.crt SHA-1 Fingerprint: E2:52:FA:95:3F:ED:DB:24:60:BD:6E:28:F3:9C:CC:CF:5E:B3:3F:DE Trust Flags: Email; Websites Test URL or Example Cert: https://ssl.elektronicznypodpis.pl/ Note that we are no longer enabling the Code Signing trust bit for new root certificates, because we will be removing the Code Signing trust bit from Mozilla's CA Certificate Policy.
Attachment #8596092 - Attachment is obsolete: true
Przemysław, Please check that the attached certificate and the information in Comment #8 is correct, and respond in this bug to confirm.
I confirm. The attached certificate and the information in Comment #8 are correct.
Thanks. We will include it in our next batch of root changes. (see Comment #3)
The test build is available here: https://email@example.com/ Please test the FirefoxDeveloperEdition.app as described here: https://wiki.mozilla.org/CA:How_to_apply#Testing_Inclusion and add a comment to this bug when you are finished testing.
(In reply to Kathleen Wilson from comment #12) > The test build is available here: > https://firstname.lastname@example.org- > 4897de4acb25ddb71d521adb05b86667c000aed7/ > > Please test the FirefoxDeveloperEdition.app as described here: > https://wiki.mozilla.org/CA:How_to_apply#Testing_Inclusion > and add a comment to this bug when you are finished testing. KIR's root certificate is marked as "Builtin Object Token" in the Security Device column and certification path from our test SSL website is correct. The appropriate UI appears indicating it is a secure website. The only thing needs to be clarified is that we see too many trust bits as checked. "This certificate can identify software makers" shouldn't be checked. As we know it's forbidden now. We applied for this bit but during discussion we were explained that Mozilla would be removing the Code Signing trust bit from Mozilla's CA Certificate Policy.
The code signing trust bit should be unchecked (not checked) for the SZAFIR ROOT CA2 in the test build from comment 12. Could you please doublecheck that you have used a fresh browser profile for testing? I just tested the build using a fresh profile, and when opening "edit trust", I see the first and the second boxes checked, but the third box "software makers" is unchecked (not checked).
After double checking everything is ok.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.