Closed Bug 1272156 Opened 9 years ago Closed 9 years ago

Remove IGC/A root certificate

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: KaiE)

References

Details

Attachments

(1 file)

1272156-v1.patch
8.69 KB, patch
kathleen.a.wilson
: review+
Details | Diff | Splinter Review
Please remove the following root certificate from NSS after December 31, 2016: E = igca@sgdn.pm.gouv.fr CN = IGC/A OU = DCSSI O = PM/SGDN SHA-256 Fingerprint: B9:BE:A7:86:0A:96:2E:A3:61:1D:AB:97:AB:6D:A3:E2:1C:10:68:B9:7D:55:57:5E:D0:E1:12:79:C1:1C:89:32 SHA-1 Fingerprint: 60:D6:89:74:B5:C2:65:9E:8A:0F:C1:88:7C:88:D2:46:69:1B:18:2C Trust Bits: Websites, Email, Code Signing Expires on: October 17, 2020 This root cert is not enabled for EV treatment In response the March 2016 CA Communication, this CA responded as follows: https://wiki.mozilla.org/CA:Communications#March_2016_Responses Government of France (ANSSI, DCSSI): The migration to new certificates will be effective on December 31st 2016. Only the root certificate (IGC/A, registered in the Mozilla Firefox browser) will be removed from the Mozilla's CA Certificate Program.
Depends on: 1290999
Depends on: 1296697
No longer depends on: 1290999
> In response the March 2016 CA Communication, this CA responded as follows: > https://wiki.mozilla.org/CA:Communications#March_2016_Responses > Government of France (ANSSI, DCSSI): The migration to new certificates will > be effective on December 31st 2016. Only the root certificate (IGC/A, > registered in the Mozilla Firefox browser) will be removed from the > Mozilla's CA Certificate Program. As per Bug #1301731, SHA-1 SSL certs are still being issued in this CA hierarchy, so we need to remove this root certificate sooner, rather than later. Note that this root was previously constrained. https://bugzilla.mozilla.org/show_bug.cgi?id=952572#c2 So, I do not think this removal warrants a security patch. Kai, please proceed with removing this root cert in the next available NSS release/update, and then we will need to get it into the earliest reasonable Firefox train, probably Firefox 51.
Blocks: 1301731
Summary: Remove IGC/A root certificate after December 31, 2016 → Remove IGC/A root certificate
No longer depends on: 1296697
I started discussion about this here: https://groups.google.com/d/msg/mozilla.dev.security.policy/Elo0gTNM8EA/OTtv5BlVEwAJ Please proceed with removing this root cert in NSS 3.27 and Firefox 51.
Blocks: 1296266
Attached patch 1272156-v1.patchSplinter Review
Kathleen, can you please review that this patch performs the intend removal?
Assignee: nobody → kaie
Attachment #8793893 - Flags: review?(kwilson)
Target Milestone: --- → 3.27
Attachment #8793893 - Flags: review?(kwilson) → review+
(In reply to Kai Engert (:kaie) from comment #3) > Created attachment 8793893 [details] [diff] [review] > 1272156-v1.patch > > Kathleen, can you please review that this patch performs the intend removal? The patch is correct and performs the intended removal. Thanks!
Landed into NSS trunk and 3.27 release branch: https://hg.mozilla.org/projects/nss/rev/c1876100f57f https://hg.mozilla.org/projects/nss/rev/d625242e7831 The earlier root CA changes made for NSS 3.27 had not yet been released, we don't need to increase the root CA version number (keep it at 2.10).
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: