December 2016 batch of root CA changes (to be released in early January 2017)

RESOLVED FIXED in 3.28.1

Status

NSS
CA Certificates Code
RESOLVED FIXED
a year ago
8 months ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

3.28
3.28.1
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 2 obsolete attachments)

(Assignee)

Description

a year ago
Given that the originally planned august 2016 batch is more complicated than usual, I suggest that we close bug 1290999 as wontfix, and split it into two separate updates:

This bug is for tracking the second half of the changes, those which must be delayed until January 2017.

I suggest that we release this update EXACTLY on 2017-01-02, January 2nd 2017, as part of new NSS branch releases, and uplift them into the Firefox 51 and Firefox 52 branches on the same date.

Let me know if there are any concerns with this suggestion.
(Assignee)

Updated

a year ago
Summary: 2017-01-02 batch of root CA changes → 2017-01-02 batch of root CA changes (January 2nd 2017)
(Assignee)

Updated

a year ago
Blocks: 1266574
(Assignee)

Updated

a year ago
Blocks: 1272156
(Assignee)

Updated

a year ago
Blocks: 1272158
(Assignee)

Updated

a year ago
See Also: → bug 1290999

Comment 1

a year ago
(In reply to Kai Engert (:kaie) from comment #0)
>
> I suggest that we release this update EXACTLY on 2017-01-02, January 2nd
> 2017, as part of new NSS branch releases, and uplift them into the Firefox
> 51 and Firefox 52 branches on the same date.
> 
> Let me know if there are any concerns with this suggestion.

Whenever possible, root removals should be added to the Central or Aurora phase of a Firefox release, so I would like to update my request as follows.

Please remove the root certs indicated in the following bugs from NSS by September 12, so the changes will get into Firefox 51, which is currently scheduled for release on January 24.
* 1250699 - Remove expiring Sertifitseerimiskeskus root cert -- not EV -- expires 8/26/2016
* 1251025 - Remove expiring E-Tugra root cert -- not EV -- expires 8/14/2016
* 1286696 - Remove S-TRUST Authentication and Encryption Root CA 2005:PN -  not EV -- only email trust bit set
* 1288250 - Remove non-audited VeriSign and Equifax root certs - not EV - only email trust bit set

Please postpone the following bugs to the next batch of root changes. I will send you the full list in December, with target of Firefox 52. (so we would want to get these changes into an NSS release and into the FF52 train in early January)
* 1266574 - Remove expiring Buypass root cert -- not EV -- expires 10/13/2016
* 1283326 - Remove RSA Security 2048 v3 root certificate -- not EV - CA request is to remove after November 8
* 1272156 - Remove French Government's IGC/A root - not EV --  CA request is to remove after December 31st 2016
* 1272158 - Remove Generalitat Valenciana root - not EV -- CA request is to remove after December 31st 2016


Thanks,
Kathleen

Comment 2

a year ago
Ooops! Looks like I should have read Bug #1296689 first...

I agree with what you said in Bug #1296689, but I think we should move the removal of the RSA Security 2048 v3 root (Bug #1283326) into this later batch of root changes.


> I suggest that we release this update EXACTLY on 2017-01-02, January 2nd
> 2017, as part of new NSS branch releases, and uplift them into the Firefox
> 51 and Firefox 52 branches on the same date.


I would just change that to be release in early January (doesn't have to be Jan 2), and to only uplift to FF 52.

Thanks!
(Assignee)

Updated

a year ago
Blocks: 1283326
(Assignee)

Comment 3

a year ago
Kathleen, thanks for your decisions.

I've moved the RSA root removal bug to this January batch (see updated dependency list).

Given we're no longer targetting Firefox 51, I agree we don't need to release exactly on January 2nd, but can complete the release at some time early in January, and create an NSS release to be landed into Firefox 52 aurora earlier than 2017-01-22.

I don't know if we can delay the NSS 3.28 release (that targets Firefox 52) until early January. Maybe we can. If we cannot, we'll create a NSS 3.28.x release with the root CA changes for Firefox 52.

I'll wait for the full list to arrive in december, before creating the patch and test builds.
Summary: 2017-01-02 batch of root CA changes (January 2nd 2017) → December 2016 batch of root CA changes (to be released in early January 2017)
(Assignee)

Updated

a year ago
Target Milestone: --- → 3.28
(Assignee)

Comment 4

a year ago
Created attachment 8783858 [details] [diff] [review]
incomplete-dez-1296697-v0.patch

This is an incomplete patch, which should implement the requested changes that are known so far.

I'll create an updated patch when the full list is know in december.
Assignee: nobody → kaie
(Assignee)

Updated

11 months ago
No longer blocks: 1272156
(Assignee)

Updated

9 months ago
(Assignee)

Comment 5

9 months ago
Created attachment 8811678 [details] [diff] [review]
draft-1296697-v0b.patch

This is an updated draft patch, that implements the changes from the current list.
 	1266574 1272158 1283326 1299951 1303377 1307981
Attachment #8783858 - Attachment is obsolete: true

Comment 6

9 months ago
(In reply to Kai Engert (:kaie) (on vacation) from comment #5)
> ... the current list.
>  	1266574 1272158 1283326 1299951 1303377 1307981

Adding one more: Bug #1320783.

Thanks!
Blocks: 1320783
(Assignee)

Comment 7

8 months ago
Created attachment 8817966 [details] [diff] [review]
Patch v1

This patch v1 is no longer a draft, it should include the complete set intended for this batch.
Attachment #8811678 - Attachment is obsolete: true
(Assignee)

Comment 8

8 months ago
(In reply to Kai Engert (:kaie) from comment #7)
> Created attachment 8817966 [details] [diff] [review]
> Patch v1

A test build has been started.

Build results will be displayed on Treeherder as they come in:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=0ff968e3d09e43aa1186a83d9df1b0159adf61e0

Once completed, builds and logs will be available at:
https://archive.mozilla.org/pub/firefox/try-builds/kaie@kuix.de-0ff968e3d09e43aa1186a83d9df1b0159adf61e0/

Comment 9

8 months ago
Thanks, Kai!

I have:
+ reviewed the patch, and all of the changes are as requested.
+ tested with the MacOS test build, and confirmed all of the requested changes.

I will ask the CAs to test.
(Assignee)

Comment 10

8 months ago
Comment on attachment 8817966 [details] [diff] [review]
Patch v1

Thanks Kathleen. Once you have feedback from all CAs, please set the patch to reviewed.
Attachment #8817966 - Flags: review?(kwilson)

Comment 11

8 months ago
Comment on attachment 8817966 [details] [diff] [review]
Patch v1

CA testing successfully completed. This patch is ready.

Thanks!
Attachment #8817966 - Flags: review?(kwilson) → review+
(Assignee)

Comment 12

8 months ago
NSS trunk for 3.29:
https://hg.mozilla.org/projects/nss/rev/e40d83f856f7

NSS branch for 3.28.1:
https://hg.mozilla.org/projects/nss/rev/1927091e7839
Status: NEW → RESOLVED
Last Resolved: 8 months ago
Resolution: --- → FIXED
Target Milestone: 3.28 → 3.28.1
You need to log in before you can comment on or make changes to this bug.