Remove old WoSign root certificates

RESOLVED FIXED

Status

NSS
CA Certificates Code
RESOLVED FIXED
10 months ago
4 months ago

People

(Reporter: Kathleen Wilson, Unassigned)

Tracking

({site-compat})

trunk
site-compat
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: Removed in NSS 3.34, Firefox 58)

(Reporter)

Description

10 months ago
Please remove the following four WoSign root certificates from NSS. 
For each of these, certificates issued after October 2016 are not trusted.

Common Name: CA 沃通根证书
SHA-1 Fingerprint: 16:32:47:8D:89:F9:21:3A:92:00:85:63:F5:A4:A7:D3:12:40:8A:D6
SHA-256 Fingerprint: D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54

Common Name: Certification Authority of WoSign
SHA-1 Fingerprint: B9:42:94:BF:91:EA:8F:B6:4B:E6:10:97:C7:FB:00:13:59:B6:76:CB
SHA-256 Fingerprint: 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08

Common Name: Certification Authority of WoSign G2
SHA-1 Fingerprint: FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1
SHA-256 Fingerprint: D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16

Common Name: CA WoSign ECC Root
SHA-1 Fingerprint: D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B
SHA-256 Fingerprint: 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02

* All of these were enabled for EV treatment.
 

Reference:
https://bugzilla.mozilla.org/show_bug.cgi?id=1309707
https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign
https://groups.google.com/d/msg/mozilla.dev.security.policy/Aljvh8FiROk/Og1NfW2CAgAJ
https://crt.sh/mozilla-certvalidations
(Reporter)

Updated

9 months ago
Depends on: 1387261

Updated

8 months ago
Depends on: 1408080
(Reporter)

Updated

6 months ago
Status: NEW → RESOLVED
Last Resolved: 6 months ago
Resolution: --- → FIXED
Whiteboard: Removed in NSS 3.34, Firefox 58

Comment 1

6 months ago
This change has now landed in Beta and Nightly. The TLS Canary ran for Beta [1] and Nightly [2] this week and showed roughly 150 sites that are broken because of this change. These sites are also broken in Chrome Stable as of Chrome 61 (September 2017) [3].

Since this does impact sites in the Canary, I'm marking this dev-doc-needed and site-compat to summon the wizards who know far better than me how to communicate this. :)

[1] https://tlscanary.mozilla.org/runs/2017-11-16-09-04-06/
[2] https://tlscanary.mozilla.org/runs/2017-11-15-12-59-15/
[3] https://security.googleblog.com/2017/07/final-removal-of-trust-in-wosign-and.html
Keywords: dev-doc-needed, site-compat
Hi there!

I'm just getting back to you on your dev-doc-needed request.

The dev-doc-needed keyword is specifically for MDN documentation. Having a look at this, it doesn't look like we have any documentation on NSS certificates. We have NSS stuff here — https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS — but I don't know how up-to-date any of it is, and don't have much knowledge in this area.

Saying that, do you think we need some kind of reference list of the certificates we support? I am quite happy to add something if needed; I just don't know what that something should be.
Flags: needinfo?(jjones)

Comment 3

4 months ago
Hey Chris,

Hmmm; there's probably not much need to document the trusted certificates list -- those who want to know pull the information from our code, and that's nice and up-to-date. I'd worry about maintenance of a whole list.

Since 58 is released now, I think we're probably good from a documentation standpoint. Google's blogging probably paved the way quite well, too.

Thanks for the analysis and suggestions; I think for these root removals we'll just rely on the security blog (and those of other browsers) for messaging, and not try to maintain user or developer documentation.
Flags: needinfo?(jjones)
Keywords: dev-doc-needed
(In reply to J.C. Jones [:jcj] from comment #3)
> Hey Chris,
> 
> Hmmm; there's probably not much need to document the trusted certificates
> list -- those who want to know pull the information from our code, and
> that's nice and up-to-date. I'd worry about maintenance of a whole list.
> 
> Since 58 is released now, I think we're probably good from a documentation
> standpoint. Google's blogging probably paved the way quite well, too.
> 
> Thanks for the analysis and suggestions; I think for these root removals
> we'll just rely on the security blog (and those of other browsers) for
> messaging, and not try to maintain user or developer documentation.

OK, sounds good to me. Thanks.
You need to log in before you can comment on or make changes to this bug.