Closed Bug 1296697 Opened 8 years ago Closed 8 years ago

December 2016 batch of root CA changes (to be released in early January 2017)

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Version:
3.28
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.28.1

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Attachments

(1 file, 2 obsolete files)

Patch v1
99.95 KB, patch
kathleen.a.wilson
: review+
Details | Diff | Splinter Review
Given that the originally planned august 2016 batch is more complicated than usual, I suggest that we close bug 1290999 as wontfix, and split it into two separate updates: This bug is for tracking the second half of the changes, those which must be delayed until January 2017. I suggest that we release this update EXACTLY on 2017-01-02, January 2nd 2017, as part of new NSS branch releases, and uplift them into the Firefox 51 and Firefox 52 branches on the same date. Let me know if there are any concerns with this suggestion.
Summary: 2017-01-02 batch of root CA changes → 2017-01-02 batch of root CA changes (January 2nd 2017)
Blocks: 1266574
Blocks: 1272156
Blocks: 1272158
See Also: → 1290999
(In reply to Kai Engert (:kaie) from comment #0) > > I suggest that we release this update EXACTLY on 2017-01-02, January 2nd > 2017, as part of new NSS branch releases, and uplift them into the Firefox > 51 and Firefox 52 branches on the same date. > > Let me know if there are any concerns with this suggestion. Whenever possible, root removals should be added to the Central or Aurora phase of a Firefox release, so I would like to update my request as follows. Please remove the root certs indicated in the following bugs from NSS by September 12, so the changes will get into Firefox 51, which is currently scheduled for release on January 24. * 1250699 - Remove expiring Sertifitseerimiskeskus root cert -- not EV -- expires 8/26/2016 * 1251025 - Remove expiring E-Tugra root cert -- not EV -- expires 8/14/2016 * 1286696 - Remove S-TRUST Authentication and Encryption Root CA 2005:PN - not EV -- only email trust bit set * 1288250 - Remove non-audited VeriSign and Equifax root certs - not EV - only email trust bit set Please postpone the following bugs to the next batch of root changes. I will send you the full list in December, with target of Firefox 52. (so we would want to get these changes into an NSS release and into the FF52 train in early January) * 1266574 - Remove expiring Buypass root cert -- not EV -- expires 10/13/2016 * 1283326 - Remove RSA Security 2048 v3 root certificate -- not EV - CA request is to remove after November 8 * 1272156 - Remove French Government's IGC/A root - not EV -- CA request is to remove after December 31st 2016 * 1272158 - Remove Generalitat Valenciana root - not EV -- CA request is to remove after December 31st 2016 Thanks, Kathleen
Ooops! Looks like I should have read Bug #1296689 first... I agree with what you said in Bug #1296689, but I think we should move the removal of the RSA Security 2048 v3 root (Bug #1283326) into this later batch of root changes. > I suggest that we release this update EXACTLY on 2017-01-02, January 2nd > 2017, as part of new NSS branch releases, and uplift them into the Firefox > 51 and Firefox 52 branches on the same date. I would just change that to be release in early January (doesn't have to be Jan 2), and to only uplift to FF 52. Thanks!
Blocks: 1283326
Kathleen, thanks for your decisions. I've moved the RSA root removal bug to this January batch (see updated dependency list). Given we're no longer targetting Firefox 51, I agree we don't need to release exactly on January 2nd, but can complete the release at some time early in January, and create an NSS release to be landed into Firefox 52 aurora earlier than 2017-01-22. I don't know if we can delay the NSS 3.28 release (that targets Firefox 52) until early January. Maybe we can. If we cannot, we'll create a NSS 3.28.x release with the root CA changes for Firefox 52. I'll wait for the full list to arrive in december, before creating the patch and test builds.
Summary: 2017-01-02 batch of root CA changes (January 2nd 2017) → December 2016 batch of root CA changes (to be released in early January 2017)
Target Milestone: --- → 3.28
Attached patch incomplete-dez-1296697-v0.patch (obsolete) — Splinter Review
This is an incomplete patch, which should implement the requested changes that are known so far. I'll create an updated patch when the full list is know in december.
Assignee: nobody → kaie
No longer blocks: 1272156
Blocks: 1299951, 1303377, 1307981
Attached patch draft-1296697-v0b.patch (obsolete) — Splinter Review
This is an updated draft patch, that implements the changes from the current list. 1266574 1272158 1283326 1299951 1303377 1307981
Attachment #8783858 - Attachment is obsolete: true
(In reply to Kai Engert (:kaie) (on vacation) from comment #5) > ... the current list. > 1266574 1272158 1283326 1299951 1303377 1307981 Adding one more: Bug #1320783. Thanks!
Blocks: 1320783
Attached patch Patch v1Splinter Review
This patch v1 is no longer a draft, it should include the complete set intended for this batch.
Attachment #8811678 - Attachment is obsolete: true
(In reply to Kai Engert (:kaie) from comment #7) > Created attachment 8817966 [details] [diff] [review] > Patch v1 A test build has been started. Build results will be displayed on Treeherder as they come in: https://treeherder.mozilla.org/#/jobs?repo=try&revision=0ff968e3d09e43aa1186a83d9df1b0159adf61e0 Once completed, builds and logs will be available at: https://archive.mozilla.org/pub/firefox/try-builds/kaie@kuix.de-0ff968e3d09e43aa1186a83d9df1b0159adf61e0/
Thanks, Kai! I have: + reviewed the patch, and all of the changes are as requested. + tested with the MacOS test build, and confirmed all of the requested changes. I will ask the CAs to test.
Comment on attachment 8817966 [details] [diff] [review] Patch v1 Thanks Kathleen. Once you have feedback from all CAs, please set the patch to reviewed.
Attachment #8817966 - Flags: review?(kwilson)
Comment on attachment 8817966 [details] [diff] [review] Patch v1 CA testing successfully completed. This patch is ready. Thanks!
Attachment #8817966 - Flags: review?(kwilson) → review+
NSS trunk for 3.29: https://hg.mozilla.org/projects/nss/rev/e40d83f856f7 NSS branch for 3.28.1: https://hg.mozilla.org/projects/nss/rev/1927091e7839
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: 3.28 → 3.28.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: