Closed
Bug 1272156
Opened 8 years ago
Closed 8 years ago
Remove IGC/A root certificate
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(Not tracked)
RESOLVED
FIXED
3.27
People
(Reporter: kathleen.a.wilson, Assigned: KaiE)
References
Details
Attachments
(1 file)
|
8.69 KB,
patch
|
kathleen.a.wilson
:
review+
|
Details | Diff | Splinter Review |
Please remove the following root certificate from NSS after December 31, 2016: E = igca@sgdn.pm.gouv.fr CN = IGC/A OU = DCSSI O = PM/SGDN SHA-256 Fingerprint: B9:BE:A7:86:0A:96:2E:A3:61:1D:AB:97:AB:6D:A3:E2:1C:10:68:B9:7D:55:57:5E:D0:E1:12:79:C1:1C:89:32 SHA-1 Fingerprint: 60:D6:89:74:B5:C2:65:9E:8A:0F:C1:88:7C:88:D2:46:69:1B:18:2C Trust Bits: Websites, Email, Code Signing Expires on: October 17, 2020 This root cert is not enabled for EV treatment In response the March 2016 CA Communication, this CA responded as follows: https://wiki.mozilla.org/CA:Communications#March_2016_Responses Government of France (ANSSI, DCSSI): The migration to new certificates will be effective on December 31st 2016. Only the root certificate (IGC/A, registered in the Mozilla Firefox browser) will be removed from the Mozilla's CA Certificate Program.
|
Assignee | |
Updated•8 years ago
|
|
Reporter | |
Comment 1•8 years ago
|
||
> In response the March 2016 CA Communication, this CA responded as follows: > https://wiki.mozilla.org/CA:Communications#March_2016_Responses > Government of France (ANSSI, DCSSI): The migration to new certificates will > be effective on December 31st 2016. Only the root certificate (IGC/A, > registered in the Mozilla Firefox browser) will be removed from the > Mozilla's CA Certificate Program. As per Bug #1301731, SHA-1 SSL certs are still being issued in this CA hierarchy, so we need to remove this root certificate sooner, rather than later. Note that this root was previously constrained. https://bugzilla.mozilla.org/show_bug.cgi?id=952572#c2 So, I do not think this removal warrants a security patch. Kai, please proceed with removing this root cert in the next available NSS release/update, and then we will need to get it into the earliest reasonable Firefox train, probably Firefox 51.
|
|
Reporter | |
Updated•8 years ago
|
Summary: Remove IGC/A root certificate after December 31, 2016 → Remove IGC/A root certificate
|
|
Reporter | |
Comment 2•8 years ago
|
||
I started discussion about this here: https://groups.google.com/d/msg/mozilla.dev.security.policy/Elo0gTNM8EA/OTtv5BlVEwAJ Please proceed with removing this root cert in NSS 3.27 and Firefox 51.
|
|
Assignee | |
Comment 3•8 years ago
|
||
Kathleen, can you please review that this patch performs the intend removal?
Assignee: nobody → kaie
Attachment #8793893 -
Flags: review?(kwilson)
|
|
Assignee | |
Updated•8 years ago
|
Target Milestone: --- → 3.27
|
|
Reporter | |
Updated•8 years ago
|
Attachment #8793893 -
Flags: review?(kwilson) → review+
|
|
Reporter | |
Comment 4•8 years ago
|
||
(In reply to Kai Engert (:kaie) from comment #3) > Created attachment 8793893 [details] [diff] [review] > 1272156-v1.patch > > Kathleen, can you please review that this patch performs the intend removal? The patch is correct and performs the intended removal. Thanks!
|
|
Assignee | |
Comment 5•8 years ago
|
||
Landed into NSS trunk and 3.27 release branch: https://hg.mozilla.org/projects/nss/rev/c1876100f57f https://hg.mozilla.org/projects/nss/rev/d625242e7831 The earlier root CA changes made for NSS 3.27 had not yet been released, we don't need to increase the root CA version number (keep it at 2.10).
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•