Please remove the following four WoSign root certificates from NSS. For each of these, certificates issued after October 2016 are not trusted. Common Name: CA 沃通根证书 SHA-1 Fingerprint: 16:32:47:8D:89:F9:21:3A:92:00:85:63:F5:A4:A7:D3:12:40:8A:D6 SHA-256 Fingerprint: D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54 Common Name: Certification Authority of WoSign SHA-1 Fingerprint: B9:42:94:BF:91:EA:8F:B6:4B:E6:10:97:C7:FB:00:13:59:B6:76:CB SHA-256 Fingerprint: 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08 Common Name: Certification Authority of WoSign G2 SHA-1 Fingerprint: FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1 SHA-256 Fingerprint: D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16 Common Name: CA WoSign ECC Root SHA-1 Fingerprint: D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B SHA-256 Fingerprint: 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02 * All of these were enabled for EV treatment. Reference: https://bugzilla.mozilla.org/show_bug.cgi?id=1309707 https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign https://groups.google.com/d/msg/mozilla.dev.security.policy/Aljvh8FiROk/Og1NfW2CAgAJ https://crt.sh/mozilla-certvalidations
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → FIXED
Whiteboard: Removed in NSS 3.34, Firefox 58
This change has now landed in Beta and Nightly. The TLS Canary ran for Beta  and Nightly  this week and showed roughly 150 sites that are broken because of this change. These sites are also broken in Chrome Stable as of Chrome 61 (September 2017) . Since this does impact sites in the Canary, I'm marking this dev-doc-needed and site-compat to summon the wizards who know far better than me how to communicate this. :)  https://tlscanary.mozilla.org/runs/2017-11-16-09-04-06/  https://tlscanary.mozilla.org/runs/2017-11-15-12-59-15/  https://security.googleblog.com/2017/07/final-removal-of-trust-in-wosign-and.html
Keywords: dev-doc-needed, site-compat
Hi there! I'm just getting back to you on your dev-doc-needed request. The dev-doc-needed keyword is specifically for MDN documentation. Having a look at this, it doesn't look like we have any documentation on NSS certificates. We have NSS stuff here — https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS — but I don't know how up-to-date any of it is, and don't have much knowledge in this area. Saying that, do you think we need some kind of reference list of the certificates we support? I am quite happy to add something if needed; I just don't know what that something should be.
Hey Chris, Hmmm; there's probably not much need to document the trusted certificates list -- those who want to know pull the information from our code, and that's nice and up-to-date. I'd worry about maintenance of a whole list. Since 58 is released now, I think we're probably good from a documentation standpoint. Google's blogging probably paved the way quite well, too. Thanks for the analysis and suggestions; I think for these root removals we'll just rely on the security blog (and those of other browsers) for messaging, and not try to maintain user or developer documentation.
(In reply to J.C. Jones [:jcj] from comment #3) > Hey Chris, > > Hmmm; there's probably not much need to document the trusted certificates > list -- those who want to know pull the information from our code, and > that's nice and up-to-date. I'd worry about maintenance of a whole list. > > Since 58 is released now, I think we're probably good from a documentation > standpoint. Google's blogging probably paved the way quite well, too. > > Thanks for the analysis and suggestions; I think for these root removals > we'll just rely on the security blog (and those of other browsers) for > messaging, and not try to maintain user or developer documentation. OK, sounds good to me. Thanks.
You need to log in before you can comment on or make changes to this bug.