Closed Bug 1387260 Opened 2 years ago Closed 2 years ago

Remove old WoSign root certificates

Categories

(NSS :: CA Certificates Code, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Unassigned)

References

Details

(Keywords: site-compat, Whiteboard: Removed in NSS 3.34, Firefox 58)

Please remove the following four WoSign root certificates from NSS. 
For each of these, certificates issued after October 2016 are not trusted.

Common Name: CA 沃通根证书
SHA-1 Fingerprint: 16:32:47:8D:89:F9:21:3A:92:00:85:63:F5:A4:A7:D3:12:40:8A:D6
SHA-256 Fingerprint: D6:F0:34:BD:94:AA:23:3F:02:97:EC:A4:24:5B:28:39:73:E4:47:AA:59:0F:31:0C:77:F4:8F:DF:83:11:22:54

Common Name: Certification Authority of WoSign
SHA-1 Fingerprint: B9:42:94:BF:91:EA:8F:B6:4B:E6:10:97:C7:FB:00:13:59:B6:76:CB
SHA-256 Fingerprint: 4B:22:D5:A6:AE:C9:9F:3C:DB:79:AA:5E:C0:68:38:47:9C:D5:EC:BA:71:64:F7:F2:2D:C1:D6:5F:63:D8:57:08

Common Name: Certification Authority of WoSign G2
SHA-1 Fingerprint: FB:ED:DC:90:65:B7:27:20:37:BC:55:0C:9C:56:DE:BB:F2:78:94:E1
SHA-256 Fingerprint: D4:87:A5:6F:83:B0:74:82:E8:5E:96:33:94:C1:EC:C2:C9:E5:1D:09:03:EE:94:6B:02:C3:01:58:1E:D9:9E:16

Common Name: CA WoSign ECC Root
SHA-1 Fingerprint: D2:7A:D2:BE:ED:94:C0:A1:3C:C7:25:21:EA:5D:71:BE:81:19:F3:2B
SHA-256 Fingerprint: 8B:45:DA:1C:06:F7:91:EB:0C:AB:F2:6B:E5:88:F5:FB:23:16:5C:2E:61:4B:F8:85:56:2D:0D:CE:50:B2:9B:02

* All of these were enabled for EV treatment.
 

Reference:
https://bugzilla.mozilla.org/show_bug.cgi?id=1309707
https://wiki.mozilla.org/CA/Additional_Trust_Changes#WoSign
https://groups.google.com/d/msg/mozilla.dev.security.policy/Aljvh8FiROk/Og1NfW2CAgAJ
https://crt.sh/mozilla-certvalidations
Depends on: 1387261
Depends on: 1408080
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Whiteboard: Removed in NSS 3.34, Firefox 58
This change has now landed in Beta and Nightly. The TLS Canary ran for Beta [1] and Nightly [2] this week and showed roughly 150 sites that are broken because of this change. These sites are also broken in Chrome Stable as of Chrome 61 (September 2017) [3].

Since this does impact sites in the Canary, I'm marking this dev-doc-needed and site-compat to summon the wizards who know far better than me how to communicate this. :)

[1] https://tlscanary.mozilla.org/runs/2017-11-16-09-04-06/
[2] https://tlscanary.mozilla.org/runs/2017-11-15-12-59-15/
[3] https://security.googleblog.com/2017/07/final-removal-of-trust-in-wosign-and.html
Hi there!

I'm just getting back to you on your dev-doc-needed request.

The dev-doc-needed keyword is specifically for MDN documentation. Having a look at this, it doesn't look like we have any documentation on NSS certificates. We have NSS stuff here — https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS — but I don't know how up-to-date any of it is, and don't have much knowledge in this area.

Saying that, do you think we need some kind of reference list of the certificates we support? I am quite happy to add something if needed; I just don't know what that something should be.
Flags: needinfo?(jjones)
Hey Chris,

Hmmm; there's probably not much need to document the trusted certificates list -- those who want to know pull the information from our code, and that's nice and up-to-date. I'd worry about maintenance of a whole list.

Since 58 is released now, I think we're probably good from a documentation standpoint. Google's blogging probably paved the way quite well, too.

Thanks for the analysis and suggestions; I think for these root removals we'll just rely on the security blog (and those of other browsers) for messaging, and not try to maintain user or developer documentation.
Flags: needinfo?(jjones)
Keywords: dev-doc-needed
(In reply to J.C. Jones [:jcj] from comment #3)
> Hey Chris,
> 
> Hmmm; there's probably not much need to document the trusted certificates
> list -- those who want to know pull the information from our code, and
> that's nice and up-to-date. I'd worry about maintenance of a whole list.
> 
> Since 58 is released now, I think we're probably good from a documentation
> standpoint. Google's blogging probably paved the way quite well, too.
> 
> Thanks for the analysis and suggestions; I think for these root removals
> we'll just rely on the security blog (and those of other browsers) for
> messaging, and not try to maintain user or developer documentation.

OK, sounds good to me. Thanks.
You need to log in before you can comment on or make changes to this bug.