Add SZAFIR ROOT CA root certificate to NSS

RESOLVED FIXED

Status

NSS
CA Certificates Code
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: Kathleen Wilson, Unassigned)

Tracking

trunk
Dependency tree / graph

Firefox Tracking Flags

(firefox40 affected)

Details

(Whiteboard: Root Cert Updated -- See Comment #8)

Attachments

(1 attachment, 1 obsolete attachment)

1.25 KB, application/x-x509-ca-cert
Details
(Reporter)

Description

3 years ago
Created attachment 8596092 [details]
SZAFIRROOTCA.cert

This bug requests inclusion in the NSS root certificate store of the following certificate, owned by Krajowa Izba Rozliczeniowa S.A. (KIR).

Friendly Name: SZAFIR ROOT CA
Cert Location: http://www.elektronicznypodpis.pl/certyfikaty/root_ca.crt
SHA-1 Fingerprint: D3:EE:FB:CB:BC:F4:98:67:83:86:26:E2:3B:B5:9C:A0:1E:30:5D:B7
Trust Flags: Code; Email; Websites
Test URL: https://ssl.elektronicznypodpis.pl

This CA has been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion in Bug #817994. 

The next steps are as follows:
1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate has been attached.
2) A Mozilla representative creates a patch with the new certificate, and provides a special test version of Firefox.
3) A representative of the CA uses the test version of Firefox to confirm (by adding a comment in this bug) that the certificate has been correctly imported and that websites work correctly.
4) The Mozilla representative requests that another Mozilla representative review the patch.
5) The Mozilla representative adds (commits) the patch to NSS, then closes this bug as RESOLVED FIXED.
6) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.
(Reporter)

Comment 1

3 years ago
Przemyslaw, Please see step #1 above.

Comment 2

3 years ago
I confirm that all the data in this bug is correct, and that the correct certificate has been attached.

Przemysław Rawa
(Reporter)

Comment 3

3 years ago
Thanks for confirming that the data in this bug is correct.

Root inclusions are usually grouped and done as a batch when there is either a large enough set of changes or about every 3 months.

At some point in the next 3 months a test build will be provided and this bug will be updated to request that you test it. Since you are cc'd on this bug, you will get notification via email when that happens.

Updated

3 years ago
Depends on: 1175227
(Reporter)

Comment 4

3 years ago
Przemyslaw, we are running into Bug #1139205 with this root -- serial number is too long. Is there a version of this root that does not have this problem?
(Reporter)

Comment 5

3 years ago
Przemysław, From https://bugzilla.mozilla.org/show_bug.cgi?id=1175227#c7
"It seems the SZAFIR certificate is using a serial number that's too long. I'd like to also mention that it's using a SHA1 self-signature. If the CA refreshes their root, maybe they should consider to use a SHA256 signature."

When you have updated the root certificate and tested it, please attach it to this bug.
(Reporter)

Comment 6

3 years ago
(In reply to Kathleen Wilson from comment #5)
> Przemysław, From https://bugzilla.mozilla.org/show_bug.cgi?id=1175227#c7
> "It seems the SZAFIR certificate is using a serial number that's too long.
> I'd like to also mention that it's using a SHA1 self-signature. If the CA
> refreshes their root, maybe they should consider to use a SHA256 signature."

We just finished discussing this in the NSS call, and there is no need to update the signature, because NSS does not check it for root certificates.

So, please just provide an updated cert to fix the serial number issue.
(Reporter)

Updated

3 years ago
No longer depends on: 1175227
(Reporter)

Comment 7

3 years ago
To be clear, we are only asking you to regenerate the public key/certificate that will be used in the NSS root store. We are not asking you to regenerate the private key.

So, please regenerate a new certificate with a serial number that is less than 20 bytes and that has a not-before date slightly newer than the original certificate. So if both the original and new certificates happen to be imported, NSS will choose the new certificate that it can properly handle.
(Reporter)

Comment 8

2 years ago
Created attachment 8696729 [details]
SZAFIRROOTCA2.cert

Attaching the replacement root cert, that has a serial number less than 20 bytes.

Updated information:
	 
Friendly Name: SZAFIR ROOT CA2
Cert Location: http://www.elektronicznypodpis.pl/certyfikaty/root_ca2.crt
SHA-1 Fingerprint: E2:52:FA:95:3F:ED:DB:24:60:BD:6E:28:F3:9C:CC:CF:5E:B3:3F:DE
Trust Flags: Email; Websites
Test URL or Example Cert: https://ssl.elektronicznypodpis.pl/

Note that we are no longer enabling the Code Signing trust bit for new root certificates, because we will be removing the Code Signing trust bit from Mozilla's CA Certificate Policy.
Attachment #8596092 - Attachment is obsolete: true
(Reporter)

Comment 9

2 years ago
Przemysław, Please check that the attached certificate and the information in Comment #8 is correct, and respond in this bug to confirm.

Comment 10

2 years ago
I confirm. The attached certificate and the information in Comment #8 are correct.
(Reporter)

Comment 11

2 years ago
Thanks. We will include it in our next batch of root changes. (see Comment #3)

Updated

2 years ago
Depends on: 1247990
(Reporter)

Updated

2 years ago
Whiteboard: Root Cert Updated -- See Comment #8
(Reporter)

Comment 12

2 years ago
The test build is available here:
https://archive.mozilla.org/pub/firefox/try-builds/kaie@kuix.de-4897de4acb25ddb71d521adb05b86667c000aed7/

Please test the FirefoxDeveloperEdition.app as described here: 
https://wiki.mozilla.org/CA:How_to_apply#Testing_Inclusion
and add a comment to this bug when you are finished testing.

Comment 13

2 years ago
(In reply to Kathleen Wilson from comment #12)
> The test build is available here:
> https://archive.mozilla.org/pub/firefox/try-builds/kaie@kuix.de-
> 4897de4acb25ddb71d521adb05b86667c000aed7/
> 
> Please test the FirefoxDeveloperEdition.app as described here: 
> https://wiki.mozilla.org/CA:How_to_apply#Testing_Inclusion
> and add a comment to this bug when you are finished testing.

KIR's root certificate is marked as "Builtin Object Token" in the Security Device column and certification path from our test SSL website is correct. The appropriate UI appears indicating it is a secure website. The only thing needs to be clarified is that we see too many trust bits as checked. "This certificate can identify software makers" shouldn't be checked. As we know it's forbidden now. We applied for this bit but during discussion we were explained that Mozilla would be removing the Code Signing trust bit from Mozilla's CA Certificate Policy.

Comment 14

2 years ago
The code signing trust bit should be unchecked (not checked) for the SZAFIR ROOT CA2 in the test build from comment 12.

Could you please doublecheck that you have used a fresh browser profile for testing?

I just tested the build using a fresh profile, and when opening "edit trust", I see the first and the second boxes checked, but the third box "software makers" is unchecked (not checked).

Comment 15

2 years ago
After double checking everything is ok.
(Reporter)

Updated

2 years ago
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.