Enable Certplus and OpenTrust root certificates for EV in PSM

RESOLVED FIXED in Firefox 50

Status

()

P1
enhancement
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: kwilson, Assigned: keeler)

Tracking

unspecified
mozilla50
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox50 fixed)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
Per bug #1025095 the request from DocuSign (OpenTrust/Keynectis) has been approved to enable the following root certificates for EV use. Please make the corresponding changes to PSM. 

Friendly Name: Certplus Root CA G1
SHA-1 Fingerprint: 2:FD:D0:B7:FD:A2:4E:0D:AC:49:2C:A0:AC:A6:7B:6A:1F:E3:F7:66
SHA-256 Fingerprint: 15:2A:40:2B:FC:DF:2C:D5:48:05:4D:22:75:B3:9C:7F:CA:3E:C0:97:80:78:B0:F0:EA:76:E5:61:A6:C7:43:3E
EV Policy OID: 1.3.6.1.4.1.22234.3.5.3.1
Test URL: https://certplusrootcag1-test.opentrust.com
	 
Friendly Name: Certplus Root CA G2
SHA-1 Fingerprint: 4F:65:8E:1F:E9:06:D8:28:02:E9:54:47:41:C9:54:25:5D:69:CC:1A
SHA-256 Fingerprint: 6C:C0:50:41:E6:44:5E:74:69:6C:4C:FB:C9:F8:0F:54:3B:7E:AB:BB:44:B4:CE:6F:78:7C:6A:99:71:C4:2F:17
EV Policy OID: 1.3.6.1.4.1.22234.3.5.3.2
Test URL: https://certplusrootcag2-test.opentrust.com
 
Friendly Name: OpenTrust Root CA G1
SHA-1 Fingerprint: 79:91:E8:34:F7:E2:EE:DD:08:95:01:52:E9:55:2D:14:E9:58:D5:7E
SHA-256 Fingerprint: 56:C7:71:28:D9:8C:18:D9:1B:4C:FD:FF:BC:25:EE:91:03:D4:75:8E:A2:AB:AD:82:6A:90:F3:45:7D:46:0E:B4
EV Policy OID: 1.3.6.1.4.1.22234.2.14.3.11
Test URL: https://opentrustrootcag1-test.opentrust.com
	 
Friendly Name: OpenTrust Root CA G2
SHA-1 Fingerprint: 79:5F:88:60:C5:AB:7C:3D:92:E6:CB:F4:8D:E1:45:CD:11:EF:60:0B
SHA-256 Fingerprint: 27:99:58:29:FE:6A:75:15:C1:BF:E8:48:F9:C4:76:1D:B1:6C:22:59:29:25:7B:F4:0D:08:94:F2:9E:A8:BA:F2
EV Policy OID: 1.3.6.1.4.1.22234.2.14.3.11
Test URL: https://opentrustrootcag2-test.opentrust.com
	 
Friendly Name: OpenTrust Root CA G3
SHA-1 Fingerprint: 6E:26:64:F3:56:BF:34:55:BF:D1:93:3F:7C:01:DE:D8:13:DA:8A:A6
SHA-256 Fingerprint: B7:C3:62:31:70:6E:81:07:8C:36:7C:B8:96:19:8F:1E:32:08:DD:92:69:49:DD:8F:57:09:A4:10:F7:5B:62:92
EV Policy OID: 1.3.6.1.4.1.22234.2.14.3.11
Test URL: https://opentrustrootcag3-test.opentrust.com
(Reporter)

Comment 1

3 years ago
Remi, Please confirm that the information in this bug is correct.

Comment 2

3 years ago
The EV Policy OIDs have been verified and are correct.
Test URLs and fingerprints are correct, with the same remark as in bug 1274674 regarding the SHA1 fingerprint for Certplus Root CA G1 (missing quartet).
(Reporter)

Comment 3

3 years ago
Erwann, Thank you for pointing out the mistake in the SHA1 fingerprint of Certplus Root CA G1, which should read:
SHA-1 Fingerprint: 22:FD:D0:B7:FD:A2:4E:0D:AC:49:2C:A0:AC:A6:7B:6A:1F:E3:F7:66
Assignee: nobody → dkeeler
Whiteboard: [psm-assigned]
Priority: -- → P1
Oh - I guess this isn't ready to go until bug 1274674 lands and we update NSS in Firefox.
Priority: P1 → P3
(Reporter)

Comment 5

2 years ago
(In reply to David Keeler [:keeler] (use needinfo?) from comment #4)
> Oh - I guess this isn't ready to go until bug 1274674 lands and we update
> NSS in Firefox.

These roots have been included in NSS 3.25 and Firefox 49, so please proceed with enabling EV treatment for them. Thanks!
Priority: P3 → P1
Created attachment 8771564 [details]
bug 1274677 - Enable Certplus and OpenTrust root certificates for EV in PSM

Review commit: https://reviewboard.mozilla.org/r/64674/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/64674/
Attachment #8771564 - Flags: review?(cykesiopka.bmo)
Kathleen, what names should I use to describe the EV OIDs? I just went with "DocuSign EV OID 1/2/3" - is that sufficient or would something else be better?
Flags: needinfo?(kwilson)
(Reporter)

Comment 8

2 years ago
(In reply to David Keeler [:keeler] (use needinfo?) from comment #7)
> Kathleen, what names should I use to describe the EV OIDs? I just went with
> "DocuSign EV OID 1/2/3" - is that sufficient or would something else be
> better?

That seems fine to me.

Thanks!
Flags: needinfo?(kwilson)

Updated

2 years ago
Attachment #8771564 - Flags: review?(cykesiopka.bmo) → review+

Comment 9

2 years ago
Comment on attachment 8771564 [details]
bug 1274677 - Enable Certplus and OpenTrust root certificates for EV in PSM

https://reviewboard.mozilla.org/r/64674/#review61776

Looks good!
Thanks!

Kathleen - here's a build with these changes: https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-1c7488570b2360302e6b24a9c62ff033549bcc88/try-macosx64/firefox-50.0a1.en-US.mac.dmg
If you could verify that everything works as expected, that would be great.
Flags: needinfo?(kwilson)
(Reporter)

Comment 11

2 years ago
(In reply to David Keeler [:keeler] (use needinfo?) from comment #10)
> 
> Kathleen - here's a build with these changes:
> https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-
> 1c7488570b2360302e6b24a9c62ff033549bcc88/try-macosx64/firefox-50.0a1.en-US.
> mac.dmg
> If you could verify that everything works as expected, that would be great.

Tested. Working as expected.  Thanks!
Flags: needinfo?(kwilson)
Comment on attachment 8771564 [details]
bug 1274677 - Enable Certplus and OpenTrust root certificates for EV in PSM

Review request updated; see interdiff: https://reviewboard.mozilla.org/r/64674/diff/1-2/
(That update was to fix the comments so they were consistent with the rest of the comments in the EV list.)

Comment 15

2 years ago
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8a26f6b014e6
Enable Certplus and OpenTrust root certificates for EV in PSM r=Cykesiopka

Comment 16

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/8a26f6b014e6
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox50: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
You need to log in before you can comment on or make changes to this bug.