Turn off Code Signing trust bit for all included root certs

RESOLVED FIXED in 3.32

Status

RESOLVED FIXED
a year ago
a year ago

People

(Reporter: Rob.Stradling, Unassigned)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
~18 months ago, Kathleen wrote [1]:

"I feel confident now that we should do the following:
...
After version 2.3 of the policy is published and the change has been properly communicated (CA Communication, security blog, press regarding the policy update), turn off the Code Signing trust bits for included root certs, and remove any root certs that are left will all trust bits turned off."

This hasn't yet been done, but ISTM that there's no reason not to do it now.


[1] https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02409.html
(Reporter)

Comment 1

a year ago
Assuming I've parsed certdata.txt correctly, there are 2 built-in root certs that should be removed since they're only enabled for CKA_TRUST_CODE_SIGNING:

ComSign Secured CA
https://crt.sh/?id=25533

UTN-USERFirst-Object
https://crt.sh/?id=17811155

Comment 2

a year ago
Thanks for the reminder. I filed Bug #1366403 and Bug #1366412 to remove those root certs.

Is there anything else we need to track in this bug?

Comment 3

a year ago
Kathleen: If you're good with the removal, then the next step is to remove the CKA_TRUST_CODE_SIGNING attribute from all the roots. Rob's just pointed out the ones that are _only_ trusted for code signing :)

Comment 4

a year ago
Kai and Keeler,

We can do the following with this bug:

1) Turn off the Code Signing trust bit for all root certs

or

2) Remove CKA_TRUST_CODE_SIGNING altogether.

I think you developers will have better insight into the best approach here.
Depends on: 1366403, 1366412
Summary: Remove CKA_TRUST_CODE_SIGNING trust attributes / root certificates → Remove CKA_TRUST_CODE_SIGNING trust attributes
I'm assuming NSS as a project would still want to support clients marking their own roots as trusted for code signing, so I believe option 1 (just turning off the trust bit) would be best here.

Comment 6

a year ago
Sounds good. Updating title, and I will add this to my list for the July batch of root changes. Thanks!
Summary: Remove CKA_TRUST_CODE_SIGNING trust attributes → Turn off Code Signing trust bit for all included root certs

Updated

a year ago
Depends on: 1380941

Comment 7

a year ago
Patch and testing information is in Bug #1380941.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → FIXED
Target Milestone: --- → 3.32
You need to log in before you can comment on or make changes to this bug.