Closed
Bug 1289885
Opened 9 years ago
Closed 9 years ago
Enable VeriSign Class 3 Public PCA - G4 for EV in PSM
Categories
(Core :: Security: PSM, enhancement, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla51
| Tracking | Status | |
|---|---|---|
| firefox51 | --- | fixed |
People
(Reporter: kathleen.a.wilson, Assigned: keeler)
References
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
Per Bug #833974 the request from Symantec has been approved to enable the following root certificate for EV use. Please make the corresponding changes to PSM.
Friendly Name: VeriSign Class 3 Public Primary Certification Authority - G4
SHA-1 Fingerprint: 22:D5:D8:DF:8F:02:31:D1:8D:F7:9D:B7:CF:8A:2D:64:C9:3F:6C:3A
SHA-256 Fingerprint: 69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60:32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79
EV Policy OIDs:
2.16.840.1.113733.1.7.23.6
2.23.140.1.1
Test URL: https://ssltest35.ssl.symclab.com/
This root certificate was included in NSS 3.12.6 and Firefox 3.6.2.
|
Reporter | |
Comment 1•9 years ago
|
||
Steve or Rick, Please confirm that the information in this bug is correct.
|
||
Comment 2•9 years ago
|
||
I confirm the name, fingerprints and test URL. I confirm the Symantec EV OID from our arc.
At this time, aligned to CABF EVG 9.3.2, we specify our own EV policy identifier and do not include the CABF EV policy identifier. We may add the CABF OID in the future and would therefore appreciate its recognition along with our own OID.
|
Assignee | |
Comment 3•9 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/67488/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/67488/
Attachment #8775314 -
Flags: review?(jjones)
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → dkeeler
Priority: -- → P1
Whiteboard: [psm-assigned]
|
||
Comment 4•9 years ago
|
||
Comment on attachment 8775314 [details]
bug 1289885 - Enable VeriSign Class 3 Public PCA - G4 for EV in PSM
https://reviewboard.mozilla.org/r/67488/#review64664
R+, matches the cert in question. Note that in https://bugzilla.mozilla.org/show_bug.cgi?id=1289885#c2 they actually ask for a second OID to be registered, which this data structure doesn't support. I guess there's nothing we can do for that request at this time?
Attachment #8775314 -
Flags: review?(jjones) → review+
|
|
Reporter | |
Comment 5•9 years ago
|
||
(In reply to Steven Medin from comment #2)
> I confirm the name, fingerprints and test URL. I confirm the Symantec EV OID
> from our arc.
>
> At this time, aligned to CABF EVG 9.3.2, we specify our own EV policy
> identifier and do not include the CABF EV policy identifier. We may add the
> CABF OID in the future and would therefore appreciate its recognition along
> with our own OID.
Steve, Do you ever plan to issue SSL certs in this CA hierarchy without the 2.16.840.1.113733.1.7.23.6 OID?
i.e. with *only* the CABF EV OID.
|
|
||
Comment 6•9 years ago
|
||
Absolutely, and while the test URL provided shows a certificate that only contains our OID, we are currently issuing EV certificates with both until all browsers accept the CABF OID. We need our OID supported for legacy certs.
If only one can be recognized at this time, then we would need our OID to be that one. Once two can be supported, we would want the CABF OID recognized as well. We will stop using our OID once we can.
|
|
Assignee | |
Comment 7•9 years ago
|
||
It's looking like it will be easier to enable the CABF OID for all EV roots at the same time rather than one at a time. That work will happen in bug 1243923.
|
|
||
Comment 8•9 years ago
|
||
Makes sense, and if it doesn't require an additional request we'll wait for that bug. For now, let's go with our own OID.
|
|
Assignee | |
Comment 9•9 years ago
|
||
Ok - sounds good. My understanding is when bug 1243923 is completed, all EV roots will be enabled for the CABF OID with no extra requests necessary.
Kathleen, the build that enables the Symantec OID for this root should be available at https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-b0ff3f141e2d6f008a75f293214d46550315cf53/try-macosx64/ - can you confirm this works as expected? Thanks!
Flags: needinfo?(kwilson)
|
|
Reporter | |
Comment 10•9 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #9)
> Kathleen, the build that enables the Symantec OID for this root should be
> available at
> https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-
> b0ff3f141e2d6f008a75f293214d46550315cf53/try-macosx64/ - can you confirm
> this works as expected? Thanks!
Tested. Works as expected -- https://ssltest35.ssl.symclab.com/ gets EV treatment.
Thanks!
Flags: needinfo?(kwilson)
|
||
Comment 11•9 years ago
|
||
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/84f4017ae85f
Enable VeriSign Class 3 Public PCA - G4 for EV in PSM r=jcj
|
||
Comment 12•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox51:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in
before you can comment on or make changes to this bug.
Description
•