Turn off Code Signing trust bit for all included root certs



2 years ago
a year ago


(Reporter: Rob.Stradling, Unassigned)


Dependency tree / graph

Firefox Tracking Flags

(Not tracked)




2 years ago
~18 months ago, Kathleen wrote [1]:

"I feel confident now that we should do the following:
After version 2.3 of the policy is published and the change has been properly communicated (CA Communication, security blog, press regarding the policy update), turn off the Code Signing trust bits for included root certs, and remove any root certs that are left will all trust bits turned off."

This hasn't yet been done, but ISTM that there's no reason not to do it now.

[1] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02409.html

Comment 1

2 years ago
Assuming I've parsed certdata.txt correctly, there are 2 built-in root certs that should be removed since they're only enabled for CKA_TRUST_CODE_SIGNING:

ComSign Secured CA


Comment 2

2 years ago
Thanks for the reminder. I filed Bug #1366403 and Bug #1366412 to remove those root certs.

Is there anything else we need to track in this bug?

Comment 3

2 years ago
Kathleen: If you're good with the removal, then the next step is to remove the CKA_TRUST_CODE_SIGNING attribute from all the roots. Rob's just pointed out the ones that are _only_ trusted for code signing :)

Comment 4

2 years ago
Kai and Keeler,

We can do the following with this bug:

1) Turn off the Code Signing trust bit for all root certs


2) Remove CKA_TRUST_CODE_SIGNING altogether.

I think you developers will have better insight into the best approach here.
Depends on: 1366403, 1366412
Summary: Remove CKA_TRUST_CODE_SIGNING trust attributes / root certificates → Remove CKA_TRUST_CODE_SIGNING trust attributes
I'm assuming NSS as a project would still want to support clients marking their own roots as trusted for code signing, so I believe option 1 (just turning off the trust bit) would be best here.

Comment 6

2 years ago
Sounds good. Updating title, and I will add this to my list for the July batch of root changes. Thanks!
Summary: Remove CKA_TRUST_CODE_SIGNING trust attributes → Turn off Code Signing trust bit for all included root certs
Depends on: 1380941

Comment 7

a year ago
Patch and testing information is in Bug #1380941.
Last Resolved: a year ago
Resolution: --- → FIXED
Target Milestone: --- → 3.32
You need to log in before you can comment on or make changes to this bug.