NSS3.4 USPS cert in Web Site certs by default



Core Graveyard
Security: UI
16 years ago
a year ago


(Reporter: John Unruh, Assigned: Stephane Saux)


1.0 Branch
Windows 2000

Firefox Tracking Flags

(Not tracked)



(1 attachment)



16 years ago
1.) Create a new profile and start the browser.
2.) Open the Cert Manager and Web Sites tab.
What happens: The US Post Office cert appears.
What is expected: No cert should be there in a new profile. 2/20 Win2000 trunk.

Comment 1

16 years ago
cc relyea and wtc.  Since this behavior wasn't present pre NSS3.4 is suspect
that 3.4 has something to do with it.
Priority: -- → P1
Summary: USPS cert in Web Site certs by default → NSS3.4 USPS cert in Web Site certs by default
Target Milestone: --- → 2.2

Comment 2

16 years ago
This is still occurring in Build ID 2002022503

Comment 3

16 years ago
Ian, is this cert new?


Comment 4

16 years ago
I presume the cert is "USPS Production 1".  This cert is not at all new.  It is
an intermediate CA cert issued by "USPS Root".  It should not be default
trusted, as it is not a root.  What it should be marked as is "valid CA", so
that it shows up as untrusted in the CA list (previously, it was marked as
untrusted, so it didn't show up; the customer did not like that).  However, it
is marked as "valid peer", causing it to show up in the web sites tab.  I don't
know why this showed up in 3.4, but the builtin entry is marked incorrectly at
any rate.

Comment 5

16 years ago
Created attachment 71911 [details] [diff] [review]
trust USPS Production 1 as valid CA

Comment 6

16 years ago
patched checked in.  Will have to wait for next PSM update.
Ian, Doesn't the trust flag "valid CA" imply that it's trusted?
I agree with your comment that intermediate CAs should not be marked
as trusted.  Does the change you made cause this CA to be trusted now?

Comment 8

16 years ago
No.  "valid" is equivalent to "c,c,c", "Trusted" is equivalent to "C,C,C".

Comment 9

16 years ago
No Trusted CA means it's trusted, Valid CA means simply that it is a CA.


16 years ago
Blocks: 128593

Comment 10

16 years ago
Comment on attachment 71911 [details] [diff] [review]
trust USPS Production 1 as valid CA

I checked Ian's patch into the NSS_CLIENT_TAG of NSS.
I think this bug can be marked fixed now.

Comment 11

16 years ago
Marking fixed as wtc suggested.
Last Resolved: 16 years ago
Resolution: --- → FIXED

Comment 12

16 years ago
Verified that the USPS Production 1 CA appears now in the authorities tab and 
not the web sites tab. The CA is also NOT trusted. Please open a new bug if that 
is not correct.

Comment 13

16 years ago
It is correct that the USPS Production 1 CA is NOT trusted.


13 years ago
Component: Security: UI → Security: UI
Product: PSM → Core


10 years ago
Version: psm2.2 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.