Closed Bug 1237817 Opened 6 years ago Closed 6 years ago

Remove retired and non-public VeriSign certificates from NSS

Categories

(NSS :: CA Certificates Code, task)

task
Not set
normal

Tracking

(firefox46 affected)

RESOLVED FIXED
Tracking Status
firefox46 --- affected

People

(Reporter: kwilson, Unassigned)

References

Details

(Whiteboard: Removed in NSS 3.23, Firefox 46)

Please remove the following 3 certificates from NSS. 
Only the Email trust bit is enabled for these, but based on documentation on Symantec's website, I think we should completely removed them.

1) VeriSign Class 1 Public PCA – G2
SHA-1 Fingerprint: 27:3E:E1:24:57:FD:C4:F9:0C:55:E8:2B:56:16:7F:62:F5:32:E5:47

2) VeriSign Class 3 Public PCA
SHA-1 Fingerprint: A1:DB:63:93:91:6F:17:E4:18:55:09:40:04:15:C7:02:40:B0:AE:6B

3) VeriSign Class 3 Public PCA – G2
SHA-1 Fingerprint: 85:37:1C:A6:E5:50:14:3D:CE:28:03:47:1B:DE:3A:09:E8:F8:77:0F


Reasons for completing the removal of these roots:

Copied from http://www.symantec.com/page.jsp?id=roots#
~~
Retired Roots
*The following roots have been retired and need no longer be distributed by vendors*

VeriSign Class 1 Public Primary CA - G2
Country = US
Organization = VeriSign, Inc.
Organizational Unit = Class 1 Public Primary Certification Authority - G2
Organizational Unit = (c) 1998 VeriSign, Inc. - For authorized use only
Organizational Unit = VeriSign Trust Network
Serial Number: 4c c7 ea aa 98 3e 71 d3 93 10 f8 3d 3a 89 91 92
Operational Period: Mon May 18, 1998 to Tue August 01, 2028
Certificate SHA1 Fingerprint: 273e e124 57fd c4f9 0c55 e82b 5616 7f62 f532 e547
~~

Copied from https://www.symantec.com/content/en/us/about/media/repository/stn-cps.pdf
~~
Note: *As of the dates indicated, the following root certificates are excluded from the scope of this document*:

- As of December 1, 2015: VeriSign Class 3 Public Primary Certification Authority
Country = US
Organization = VeriSign, Inc.
Organizational Unit = Class 3 Public Primary Certification Authority

-As of March 27, 2015: VeriSign Class 3 Public Primary Certification Authority – G2 Country = US
Organization = VeriSign, Inc.
Organizational Unit = Class 3 Public Primary Certification Authority - G2
Organizational Unit = (c) 1998 VeriSign, Inc. - For authorized use only
Organizational Unit = VeriSign Trust Network

Any references to PCAs or Class 3 PCAs in this CPS no longer apply to these root certificates. These root certificates are only intended to be used for private purposes and should be disabled in browsers’ trusted root lists. The Symantec Trust Network CP and CPS no longer govern the use of these root certificates and any of their subordinate services.
~~
Note: None of these root certs are enabled for EV treatment.
Depends on: 1247990
The test build is available here:
https://archive.mozilla.org/pub/firefox/try-builds/kaie@kuix.de-4897de4acb25ddb71d521adb05b86667c000aed7/

I have confirmed the removal of the root certificates listed above.

The CA is also welcome to test with FirefoxDeveloperEdition.app by following the procedure described here: https://wiki.mozilla.org/CA:How_to_apply#Testing_Inclusion
The removal of the root certificates listed above looks good with the test build 
https://archive.mozilla.org/pub/firefox/try-builds/kaie@kuix.de-4897de4acb25ddb71d521adb05b86667c000aed7/
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Whiteboard: Removed in NSS 3.23, Firefox 46
Duplicate of this bug: 1276146
You need to log in before you can comment on or make changes to this bug.