Remove non-audited Symantec root certs from NSS

RESOLVED FIXED in 3.27

Status

NSS
CA Certificates Code
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: Kathleen Wilson, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
Please remove the following root certificates from NSS, because they are not included in the current audit statements.

1) Class 1 Public Primary Certification Authority
SHA-256 Fingerprint:
51:84:7C:8C:BD:2E:9A:72:C9:1E:29:2D:2A:E2:47:D7:DE:1E:3F:D2:70:54:7A:20:EF:7D:61:0F:38:B8:84:2C
SHA-1 Fingerprint: CE:6A:64:A3:09:E4:2F:BB:D9:85:1C:45:3E:64:09:EA:E8:7D:60:F1

2) Class 2 Public Primary Certification Authority - G2
SHA-256 Fingerprint:
3A:43:E2:20:FE:7F:3E:A9:65:3D:1E:21:74:2E:AC:2B:75:C2:0F:D8:98:03:05:BC:50:2C:AF:8C:2D:9B:41:A1
SHA-1 Fingerprint: B3:EA:C4:47:76:C9:C8:1C:EA:F2:9D:95:B6:CC:A0:08:1B:67:EC:9D

3) Class 3 Public Primary Certification Authority
SHA-256 Fingerprint:
E7:68:56:34:EF:AC:F6:9A:CE:93:9A:6B:25:5B:7B:4F:AB:EF:42:93:5B:50:A2:65:AC:B5:CB:60:27:E4:4E:70
SHA-1 Fingerprint: 74:2C:31:92:E6:07:E4:24:EB:45:49:54:2B:E1:BB:C5:3E:61:74:E2

4) Equifax Secure Certificate Authority
SHA-256 Fingerprint:
08:29:7A:40:47:DB:A2:36:80:C7:31:DB:6E:31:76:53:CA:78:48:E1:BE:BD:3A:0B:01:79:A7:07:F9:2C:F1:78
SHA-1 Fingerprint: D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A

5) Equifax Secure eBusiness CA-1
SHA-256 Fingerprint:
CF:56:FF:46:A4:A1:86:10:9D:D9:65:84:B5:EE:B5:8A:51:0C:42:75:B0:E5:F9:4F:40:BB:AE:86:5E:19:F6:73
SHA-1 Fingerprint: DA:40:18:8B:91:89:A3:ED:EE:AE:DA:97:FE:2F:9D:F5:B7:D1:8A:41

6) Equifax Secure Global eBusiness CA-1
SHA-256 Fingerprint:
5F:0B:62:EA:B5:E3:53:EA:65:21:65:16:58:FB:B6:53:59:F4:43:28:0A:4A:FB:D1:04:D7:7D:10:F9:F0:4C:07
SHA-1 Fingerprint: 7E:78:4A:10:1C:82:65:CC:2D:E1:F1:6D:47:B4:40:CA:D9:0A:19:45

Only the Email trust bit is currently enabled for these root certs.

Comment 1

2 years ago
I confirm no Thunderbird/NSS impact if the Equifax roots are removed.  

We are double checking the PCAs, but our root strategy has been operating with the currently audited G3 generation for enough time that we don't expect database scan results that will show email client failure due to removal of the three PCAs either.  I will follow up to confirm.

Updated

2 years ago
Depends on: 1290999

Comment 2

2 years ago
I confirm that these six roots may be removed.

Updated

a year ago
Depends on: 1296689
No longer depends on: 1290999
(Reporter)

Updated

a year ago
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
Target Milestone: --- → 3.27
You need to log in before you can comment on or make changes to this bug.