Closed Bug 1366403 Opened 7 years ago Closed 7 years ago

Remove Legacy Comodo root certificates per CA Request

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Unassigned)

References

Details

Please remove the following root certificate from NSS.

Common Name: UTN-USERFirst-Object
SHA-1 Fingerprint: E1:2D:FB:4B:41:D7:D9:C3:2B:30:51:4B:AC:1D:81:D8:38:5E:2D:46
SHA-256 Fingerprint: 6F:FF:78:E4:00:A7:0C:11:01:1C:D8:59:77:C4:59:FB:5A:F9:6A:3D:F0:54:08:20:D0:F4:B8:60:78:75:E5:8F

* This root cert is not enabled for EV treatment.

Reason for removal: Mozilla no longer supports the Code Signing trust bit.
https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02409.html
Blocks: 1366243
See Also: → 1378334
As requested by the CA (Bug #1378334), please also make the following changes to NSS.

== Turn off Websites and Code Signing trust bits ==

Common Name: AddTrust Class 1 CA Root
SHA-1 Fingerprint: CC:AB:0E:A0:4C:23:01:D6:69:7B:DD:37:9F:CD:12:EB:24:E3:94:9D
SHA-256 Fingerprint: 8C:72:09:27:9A:C0:4E:27:5E:16:D0:7F:D3:B7:75:E8:01:54:B5:96:80:46:E3:1F:52:DD:25:76:63:24:E9:A7
CA requested to keep the Email trust bit enabled so that existing S/MIME signatures can still be validated.


== Remove Root Certs from NSS ==

Common Name: AddTrust Public CA Root
SHA-1 Fingerprint: 2A:B6:28:48:5E:78:FB:F3:AD:9E:79:10:DD:6B:DF:99:72:2C:96:E5
SHA-256 Fingerprint: 07:91:CA:07:49:B2:07:82:AA:D3:C7:D7:BD:0C:DF:C9:48:58:35:84:3E:B2:D7:99:60:09:CE:43:AB:6C:69:27
* Not EV

Common Name: AddTrust Qualified CA Root
SHA-1 Fingerprint: 4D:23:78:EC:91:95:39:B5:00:7F:75:8F:03:3B:21:1E:C5:4D:8B:CF
SHA-256 Fingerprint: 80:95:21:08:05:DB:4B:BC:35:5E:44:28:D8:FD:6E:C2:CD:E3:AB:5F:B9:7A:99:42:98:8E:B8:F4:DC:D0:60:16
* Not EV

Common Name: Secure Certificate Services
SHA-1 Fingerprint: 4A:65:D5:F4:1D:EF:39:B8:B8:90:4A:4A:D3:64:81:33:CF:C7:A1:D1
SHA-256 Fingerprint: BD:81:CE:3B:4F:65:91:D1:1A:67:B5:FC:7A:47:FD:EF:25:52:1B:F9:AA:4E:18:B9:E3:DF:2E:34:A7:80:3B:E8
* Not EV

Common Name: Trusted Certificate Services
SHA-1 Fingerprint: E1:9F:E3:0E:8B:84:60:9E:80:9B:17:0D:72:A8:C5:BA:6E:14:09:BD
SHA-256 Fingerprint: 3F:06:E5:56:81:D4:96:F5:BE:16:9E:B5:38:9F:9F:2B:8F:F6:1E:17:08:DF:68:81:72:48:49:CD:5D:27:CB:69
* Not EV

Common Name: UTN-USERFirst-Hardware
SHA-1 Fingerprint: 04:83:ED:33:99:AC:36:08:05:87:22:ED:BC:5E:46:00:E3:BE:F9:D7
SHA-256 Fingerprint: 6E:A5:47:41:D0:04:66:7E:ED:1B:48:16:63:4A:A3:A7:9E:6E:4B:96:95:0F:82:79:DA:FC:8D:9B:D8:81:21:37
* EV ENABLED
Depends on: 1380821
Blocks: 1378334
Summary: Remove UTN-USERFirst-Object root certificate → Remove Legacy Comodo root certificates per CA Request
Depends on: 1380941
Patch and testing information is in Bug #1380941.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.32
You need to log in before you can comment on or make changes to this bug.