Closed Bug 1289885 Opened 4 years ago Closed 4 years ago

Enable VeriSign Class 3 Public PCA - G4 for EV in PSM

Categories

(Core :: Security: PSM, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
mozilla51
Tracking Status
firefox51 --- fixed

People

(Reporter: kwilson, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Per Bug #833974 the request from Symantec has been approved to enable the following root certificate for EV use. Please make the corresponding changes to PSM. 
	 
Friendly Name: VeriSign Class 3 Public Primary Certification Authority - G4
SHA-1 Fingerprint: 22:D5:D8:DF:8F:02:31:D1:8D:F7:9D:B7:CF:8A:2D:64:C9:3F:6C:3A
SHA-256 Fingerprint: 	69:DD:D7:EA:90:BB:57:C9:3E:13:5D:C8:5E:A6:FC:D5:48:0B:60:32:39:BD:C4:54:FC:75:8B:2A:26:CF:7F:79
EV Policy OIDs: 
2.16.840.1.113733.1.7.23.6
2.23.140.1.1
Test URL: https://ssltest35.ssl.symclab.com/

This root certificate was included in NSS 3.12.6 and Firefox 3.6.2.
Steve or Rick, Please confirm that the information in this bug is correct.
I confirm the name, fingerprints and test URL. I confirm the Symantec EV OID from our arc. 

At this time, aligned to CABF EVG 9.3.2, we specify our own EV policy identifier and do not include the CABF EV policy identifier. We may add the CABF OID in the future and would therefore appreciate its recognition along with our own OID.
Assignee: nobody → dkeeler
Priority: -- → P1
Whiteboard: [psm-assigned]
Comment on attachment 8775314 [details]
bug 1289885 - Enable VeriSign Class 3 Public PCA - G4 for EV in PSM

https://reviewboard.mozilla.org/r/67488/#review64664

R+, matches the cert in question. Note that in https://bugzilla.mozilla.org/show_bug.cgi?id=1289885#c2 they actually ask for a second OID to be registered, which this data structure doesn't support. I guess there's nothing we can do for that request at this time?
Attachment #8775314 - Flags: review?(jjones) → review+
(In reply to Steven Medin from comment #2)
> I confirm the name, fingerprints and test URL. I confirm the Symantec EV OID
> from our arc. 
> 
> At this time, aligned to CABF EVG 9.3.2, we specify our own EV policy
> identifier and do not include the CABF EV policy identifier. We may add the
> CABF OID in the future and would therefore appreciate its recognition along
> with our own OID.


Steve, Do you ever plan to issue SSL certs in this CA hierarchy without the 2.16.840.1.113733.1.7.23.6 OID?
i.e. with *only* the CABF EV OID.
Absolutely, and while the test URL provided shows a certificate that only contains our OID, we are currently issuing EV certificates with both until all browsers accept the CABF OID. We need our OID supported for legacy certs.

If only one can be recognized at this time, then we would need our OID to be that one. Once two can be supported, we would want the CABF OID recognized as well. We will stop using our OID once we can.
It's looking like it will be easier to enable the CABF OID for all EV roots at the same time rather than one at a time. That work will happen in bug 1243923.
Makes sense, and if it doesn't require an additional request we'll wait for that bug.  For now, let's go with our own OID.
Ok - sounds good. My understanding is when bug 1243923 is completed, all EV roots will be enabled for the CABF OID with no extra requests necessary.

Kathleen, the build that enables the Symantec OID for this root should be available at https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-b0ff3f141e2d6f008a75f293214d46550315cf53/try-macosx64/ - can you confirm this works as expected? Thanks!
Flags: needinfo?(kwilson)
(In reply to David Keeler [:keeler] (use needinfo?) from comment #9)
> Kathleen, the build that enables the Symantec OID for this root should be
> available at
> https://archive.mozilla.org/pub/firefox/try-builds/dkeeler@mozilla.com-
> b0ff3f141e2d6f008a75f293214d46550315cf53/try-macosx64/ - can you confirm
> this works as expected? Thanks!

Tested. Works as expected -- https://ssltest35.ssl.symclab.com/ gets EV treatment.

Thanks!
Flags: needinfo?(kwilson)
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/84f4017ae85f
Enable VeriSign Class 3 Public PCA - G4 for EV in PSM r=jcj
https://hg.mozilla.org/mozilla-central/rev/84f4017ae85f
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
You need to log in before you can comment on or make changes to this bug.