Closed Bug 1335904 Opened 4 years ago Closed 4 years ago

Disable EV treatment for TurkTrust H6 root certificate

Categories

(Core :: Security: PSM, enhancement)

51 Branch
enhancement
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla54
Tracking Status
firefox-esr52 --- fixed
firefox54 --- fixed

People

(Reporter: kwilson, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Please remove EV treatment for following root certificate:

Subject: CN=TÜRKTRUST Elektronik Sertifika Hizmet Sağlayıcısı H6, OU=null, O=TÜRKTRUST Bilgi İletişim ve Bilişim Güvenliği Hizmetleri A.Ş., C=TR

SHA-1 Fingerprint: 8A:5C:8C:EE:A5:03:E6:05:56:BA:D8:1B:D4:F6:C9:B0:ED:E5:2F:E0
SHA-256 Fingerprint: 8D:E7:86:55:E1:BE:7F:78:47:80:0B:93:F6:94:D2:1D:36:8C:C0:6E:03:3E:7F:AB:04:BB:5E:B9:9D:A6:B7:00

EV Policy OID: 2.16.792.3.0.3.1.1.5

From the CA: "...as TURKTRUST we decided to hold our EV SSL operations. ... Please feel free to proceed with filing a Bugzilla Bug to remove H6 root certificate from the NSS root store."
Looks like https://testsuite12002.turktrust.com.tr/ is a good test site for this.
Assignee: nobody → dkeeler
Whiteboard: [psm-assigned]
Comment on attachment 8833089 [details]
bug 1335904 - disable EV treatment for TurkTrust H6 root certificate

https://reviewboard.mozilla.org/r/109314/#review110462
Attachment #8833089 - Flags: review?(jjones) → review+
https://hg.mozilla.org/mozilla-central/rev/20044793987e
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Comment on attachment 8833089 [details]
bug 1335904 - disable EV treatment for TurkTrust H6 root certificate

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: needed for bug 1357599
User impact if declined: bug 1357599 can't land
Fix Landed on Version: 54
Risk to taking this patch (and alternatives if risky): very low - this just removes a small amount of static data
String or UUID changes made by this patch: none

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8833089 - Flags: approval-mozilla-esr52?
Hello jcristau, can you please consider to approve this bug for uplift to ESR 52?

This isn't a code change. It's simply removal of static data, that enablec a CA for EV status, and currently has a test that tries to assert the underlying root CA is actually present as part of NSS.

Given that we remove this old root CA from NSS, we must remove the EV enablement, too, to avoid the test failure.
Flags: needinfo?(jcristau)
Comment on attachment 8833089 [details]
bug 1335904 - disable EV treatment for TurkTrust H6 root certificate

remove EV bit from a TurkTrust root, needed for nss update, esr52+

ritu fyi
Flags: needinfo?(jcristau) → needinfo?(rkothari)
Attachment #8833089 - Flags: approval-mozilla-esr52? → approval-mozilla-esr52+
Hello Ritu, can you please consider to approve this bug for uplift to ESR 52?

This isn't a code/logic change. It's simply removal of static data, that previously enabled a CA for EV status, and currently has a test that tries to assert the underlying root CA is actually present as part of NSS.

Given that we want to remove the old root CA from NSS in bug 1357599, we must remove this EV enablement, too, to avoid the test failure, and allow to land approved bug 1357599.
Flags: needinfo?(rkothari)
You need to log in before you can comment on or make changes to this bug.