Closed Bug 1274677 Opened 3 years ago Closed 3 years ago

Enable Certplus and OpenTrust root certificates for EV in PSM

Categories

(Core :: Security: PSM, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
mozilla50
Tracking Status
firefox50 --- fixed

People

(Reporter: kwilson, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Per bug #1025095 the request from DocuSign (OpenTrust/Keynectis) has been approved to enable the following root certificates for EV use. Please make the corresponding changes to PSM. 

Friendly Name: Certplus Root CA G1
SHA-1 Fingerprint: 2:FD:D0:B7:FD:A2:4E:0D:AC:49:2C:A0:AC:A6:7B:6A:1F:E3:F7:66
SHA-256 Fingerprint: 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E
EV Policy OID: 1.3.6.1.4.1.22234.3.5.3.1
Test URL: https://certplusrootcag1-test.opentrust.com
	 
Friendly Name: Certplus Root CA G2
SHA-1 Fingerprint: 4F:65:8E:1F:E9:06:D8:28:02:E9:54:47:41:C9:54:25:5D:69:CC:1A
SHA-256 Fingerprint: 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17
EV Policy OID: 1.3.6.1.4.1.22234.3.5.3.2
Test URL: https://certplusrootcag2-test.opentrust.com
 
Friendly Name: OpenTrust Root CA G1
SHA-1 Fingerprint: 79:91:E8:34:F7:E2:EE:DD:08:95:01:52:E9:55:2D:14:E9:58:D5:7E
SHA-256 Fingerprint: 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4
EV Policy OID: 1.3.6.1.4.1.22234.2.14.3.11
Test URL: https://opentrustrootcag1-test.opentrust.com
	 
Friendly Name: OpenTrust Root CA G2
SHA-1 Fingerprint: 79:5F:88:60:C5:AB:7C:3D:92:E6:CB:F4:8D:E1:45:CD:11:EF:60:0B
SHA-256 Fingerprint: 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2
EV Policy OID: 1.3.6.1.4.1.22234.2.14.3.11
Test URL: https://opentrustrootcag2-test.opentrust.com
	 
Friendly Name: OpenTrust Root CA G3
SHA-1 Fingerprint: 6E:26:64:F3:56:BF:34:55:BF:D1:93:3F:7C:01:DE:D8:13:DA:8A:A6
SHA-256 Fingerprint: B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92
EV Policy OID: 1.3.6.1.4.1.22234.2.14.3.11
Test URL: https://opentrustrootcag3-test.opentrust.com
Remi, Please confirm that the information in this bug is correct.
The EV Policy OIDs have been verified and are correct.
Test URLs and fingerprints are correct, with the same remark as in bug 1274674 regarding the SHA1 fingerprint for Certplus Root CA G1 (missing quartet).
Erwann, Thank you for pointing out the mistake in the SHA1 fingerprint of Certplus Root CA G1, which should read:
SHA-1 Fingerprint: 22:FD:D0:B7:FD:A2:4E:0D:AC:49:2C:A0:AC:A6:7B:6A:1F:E3:F7:66
Assignee: nobody → dkeeler
Whiteboard: [psm-assigned]
Priority: -- → P1
Oh - I guess this isn't ready to go until bug 1274674 lands and we update NSS in Firefox.
Priority: P1 → P3
(In reply to David Keeler [:keeler] (use needinfo?) from comment #4)
> Oh - I guess this isn't ready to go until bug 1274674 lands and we update
> NSS in Firefox.

These roots have been included in NSS 3.25 and Firefox 49, so please proceed with enabling EV treatment for them. Thanks!
Priority: P3 → P1
Kathleen, what names should I use to describe the EV OIDs? I just went with "DocuSign EV OID 1/2/3" - is that sufficient or would something else be better?
Flags: needinfo?(kwilson)
(In reply to David Keeler [:keeler] (use needinfo?) from comment #7)
> Kathleen, what names should I use to describe the EV OIDs? I just went with
> "DocuSign EV OID 1/2/3" - is that sufficient or would something else be
> better?

That seems fine to me.

Thanks!
Flags: needinfo?(kwilson)
Attachment #8771564 - Flags: review?(cykesiopka.bmo) → review+
Comment on attachment 8771564 [details]
bug 1274677 - Enable Certplus and OpenTrust root certificates for EV in PSM

https://reviewboard.mozilla.org/r/64674/#review61776

Looks good!
Thanks!

Kathleen - here's a build with these changes: https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-1c7488570b2360302e6b24a9c62ff033549bcc88/try-macosx64/firefox-50.0a1.en-US.mac.dmg
If you could verify that everything works as expected, that would be great.
Flags: needinfo?(kwilson)
(In reply to David Keeler [:keeler] (use needinfo?) from comment #10)
> 
> Kathleen - here's a build with these changes:
> https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-
> 1c7488570b2360302e6b24a9c62ff033549bcc88/try-macosx64/firefox-50.0a1.en-US.
> mac.dmg
> If you could verify that everything works as expected, that would be great.

Tested. Working as expected.  Thanks!
Flags: needinfo?(kwilson)
Comment on attachment 8771564 [details]
bug 1274677 - Enable Certplus and OpenTrust root certificates for EV in PSM

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/64674/diff/1-2/
(That update was to fix the comments so they were consistent with the rest of the comments in the EV list.)
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8a26f6b014e6
Enable Certplus and OpenTrust root certificates for EV in PSM r=Cykesiopka
https://hg.mozilla.org/mozilla-central/rev/8a26f6b014e6
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in before you can comment on or make changes to this bug.