Remove IGC/A root certificate

RESOLVED FIXED in 3.27

Status

task
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: kwilson, Assigned: kaie)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Reporter

Description

3 years ago
Please remove the following root certificate from NSS after December 31, 2016:

E = igca@sgdn.pm.gouv.fr
CN = IGC/A
OU = DCSSI
O = PM/SGDN
SHA-256 Fingerprint: B9:BE:A7:86:0A:96:2E:A3:61:1D:AB:97:AB:6D:A3:E2:1C:10:68:B9:7D:55:57:5E:D0:E1:12:79:C1:1C:89:32
SHA-1 Fingerprint: 60:D6:89:74:B5:C2:65:9E:8A:0F:C1:88:7C:88:D2:46:69:1B:18:2C
Trust Bits: Websites, Email, Code Signing
Expires on: October 17, 2020

This root cert is not enabled for EV treatment

In response the March 2016 CA Communication, this CA responded as follows:
https://wiki.mozilla.org/CA:Communications#March_2016_Responses
Government of France (ANSSI, DCSSI): The migration to new certificates will be effective on December 31st 2016. Only the root certificate (IGC/A, registered in the Mozilla Firefox browser) will be removed from the Mozilla's CA Certificate Program.
Assignee

Updated

3 years ago
Depends on: 1290999
Assignee

Updated

3 years ago
Depends on: 1296697
No longer depends on: 1290999
Reporter

Comment 1

3 years ago
> In response the March 2016 CA Communication, this CA responded as follows:
> https://wiki.mozilla.org/CA:Communications#March_2016_Responses
> Government of France (ANSSI, DCSSI): The migration to new certificates will
> be effective on December 31st 2016. Only the root certificate (IGC/A,
> registered in the Mozilla Firefox browser) will be removed from the
> Mozilla's CA Certificate Program.

As per Bug #1301731, SHA-1 SSL certs are still being issued in this CA hierarchy, so we need to remove this root certificate sooner, rather than later.

Note that this root was previously constrained.
https://bugzilla.mozilla.org/show_bug.cgi?id=952572#c2
So, I do not think this removal warrants a security patch.

Kai, please proceed with removing this root cert in the next available NSS release/update, and then we will need to get it into the earliest reasonable Firefox train, probably Firefox 51.
Reporter

Updated

3 years ago
Blocks: 1301731
Reporter

Updated

3 years ago
Summary: Remove IGC/A root certificate after December 31, 2016 → Remove IGC/A root certificate
Assignee

Updated

3 years ago
No longer depends on: 1296697
Reporter

Comment 2

3 years ago
I started discussion about this here:
https://groups.google.com/d/msg/mozilla.dev.security.policy/Elo0gTNM8EA/OTtv5BlVEwAJ

Please proceed with removing this root cert in NSS 3.27 and Firefox 51.
Assignee

Updated

3 years ago
Blocks: 1296266
Assignee

Comment 3

3 years ago
Kathleen, can you please review that this patch performs the intend removal?
Assignee: nobody → kaie
Attachment #8793893 - Flags: review?(kwilson)
Assignee

Updated

3 years ago
Target Milestone: --- → 3.27
Reporter

Updated

3 years ago
Attachment #8793893 - Flags: review?(kwilson) → review+
Reporter

Comment 4

3 years ago
(In reply to Kai Engert (:kaie) from comment #3)
> Created attachment 8793893 [details] [diff] [review]
> 1272156-v1.patch
> 
> Kathleen, can you please review that this patch performs the intend removal?

The patch is correct and performs the intended removal. Thanks!
Assignee

Comment 5

3 years ago
Landed into NSS trunk and 3.27 release branch:
https://hg.mozilla.org/projects/nss/rev/c1876100f57f
https://hg.mozilla.org/projects/nss/rev/d625242e7831

The earlier root CA changes made for NSS 3.27 had not yet been released, we don't need to increase the root CA version number (keep it at 2.10).
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → FIXED
Reporter

Updated

2 years ago
Duplicate of this bug: 948579
You need to log in before you can comment on or make changes to this bug.