~18 months ago, Kathleen wrote : "I feel confident now that we should do the following: ... After version 2.3 of the policy is published and the change has been properly communicated (CA Communication, security blog, press regarding the policy update), turn off the Code Signing trust bits for included root certs, and remove any root certs that are left will all trust bits turned off." This hasn't yet been done, but ISTM that there's no reason not to do it now.  https://email@example.com/msg02409.html
Assuming I've parsed certdata.txt correctly, there are 2 built-in root certs that should be removed since they're only enabled for CKA_TRUST_CODE_SIGNING: ComSign Secured CA https://crt.sh/?id=25533 UTN-USERFirst-Object https://crt.sh/?id=17811155
Thanks for the reminder. I filed Bug #1366403 and Bug #1366412 to remove those root certs. Is there anything else we need to track in this bug?
Kathleen: If you're good with the removal, then the next step is to remove the CKA_TRUST_CODE_SIGNING attribute from all the roots. Rob's just pointed out the ones that are _only_ trusted for code signing :)
Kai and Keeler, We can do the following with this bug: 1) Turn off the Code Signing trust bit for all root certs or 2) Remove CKA_TRUST_CODE_SIGNING altogether. I think you developers will have better insight into the best approach here.
I'm assuming NSS as a project would still want to support clients marking their own roots as trusted for code signing, so I believe option 1 (just turning off the trust bit) would be best here.
Sounds good. Updating title, and I will add this to my list for the July batch of root changes. Thanks!
Summary: Remove CKA_TRUST_CODE_SIGNING trust attributes → Turn off Code Signing trust bit for all included root certs
Patch and testing information is in Bug #1380941.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
Target Milestone: --- → 3.32
You need to log in before you can comment on or make changes to this bug.