Disable EV treatment for TurkTrust H6 root certificate

RESOLVED FIXED in Firefox -esr52

Status

()

--
enhancement
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: kwilson, Assigned: keeler)

Tracking

51 Branch
mozilla54
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr52 fixed, firefox54 fixed)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Please remove EV treatment for following root certificate:

Subject: CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6, OU=null, O=TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş., C=TR

SHA-1 Fingerprint: 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0
SHA-256 Fingerprint: 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00

EV Policy OID: 2.16.792.3.0.3.1.1.5

From the CA: "...as TURKTRUST we decided to hold our EV SSL operations. ... Please feel free to proceed with filing a Bugzilla Bug to remove H6 root certificate from the NSS root store."
Looks like https://testsuite12002.turktrust.com.tr/ is a good test site for this.
Assignee: nobody → dkeeler
Whiteboard: [psm-assigned]
Comment hidden (mozreview-request)

Comment 3

2 years ago
mozreview-review
Comment on attachment 8833089 [details]
bug 1335904 - disable EV treatment for TurkTrust H6 root certificate

https://reviewboard.mozilla.org/r/109314/#review110462
Attachment #8833089 - Flags: review?(jjones) → review+
Thanks!

Comment 6

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/20044793987e
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox54: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Comment on attachment 8833089 [details]
bug 1335904 - disable EV treatment for TurkTrust H6 root certificate

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: needed for bug 1357599
User impact if declined: bug 1357599 can't land
Fix Landed on Version: 54
Risk to taking this patch (and alternatives if risky): very low - this just removes a small amount of static data
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8833089 - Flags: approval-mozilla-esr52?
Hello jcristau, can you please consider to approve this bug for uplift to ESR 52?

This isn't a code change. It's simply removal of static data, that enablec a CA for EV status, and currently has a test that tries to assert the underlying root CA is actually present as part of NSS.

Given that we remove this old root CA from NSS, we must remove the EV enablement, too, to avoid the test failure.
Flags: needinfo?(jcristau)
Comment on attachment 8833089 [details]
bug 1335904 - disable EV treatment for TurkTrust H6 root certificate

remove EV bit from a TurkTrust root, needed for nss update, esr52+

ritu fyi
Flags: needinfo?(jcristau) → needinfo?(rkothari)
Attachment #8833089 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Hello Ritu, can you please consider to approve this bug for uplift to ESR 52?

This isn't a code/logic change. It's simply removal of static data, that previously enabled a CA for EV status, and currently has a test that tries to assert the underlying root CA is actually present as part of NSS.

Given that we want to remove the old root CA from NSS in bug 1357599, we must remove this EV enablement, too, to avoid the test failure, and allow to land approved bug 1357599.

Comment 11

2 years ago
bugherderuplift
https://hg.mozilla.org/releases/mozilla-esr52/rev/366cdd623cfb
status-firefox-esr52: --- → fixed
Flags: needinfo?(rkothari)
You need to log in before you can comment on or make changes to this bug.