Closed Bug 1410544 Opened 4 years ago Closed 3 years ago

Remove "Security Communication EV RootCA1" root cert

Categories

(NSS :: CA Certificates Code, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: h-kamo)

References

Details

(Whiteboard: Removed in NSS 3.35, Firefox 59)

Please remove the following root certificate from NSS.


Certificate Issuer Organization: SECOM Trust Systems CO.,LTD.
Certificate Issuer Organizational Unit: Security Communication EV RootCA1
SHA-1 Fingerprint: FE:B8:C4:32:DC:F9:76:9A:CE:AE:3D:D8:90:8F:FD:28:86:65:64:7D
SHA-256 Fingerprint: A2:2D:BA:68:1E:97:37:6E:2D:39:7D:72:8A:AE:3A:9B:62:96:B9:FD:BA:60:BC:2E:11:F6:47:F2:C6:75:FB:37

* This root cert is enabled for EV treatment.

Reason for removal: 
Recieved email from the representative of this CA that said: "We are not providing services ... for the root of “Security Communication EV RootCA1” anymore, thus there is no WebTrust report.
Depends on: 1410546
Depends on: 1427977
Whiteboard: Change will be in NSS 3.35, Firefox 59
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Whiteboard: Change will be in NSS 3.35, Firefox 59 → Removed in NSS 3.35, Firefox 59

Kathleen: For clarity, this appears to still be cross-signed by a root in the Mozilla program:

https://crt.sh/?id=36251
https://crt.sh/?id=1644

The CCADB disclosures apparently indicate "same as parent", except this is not included in the scope of those audits.

Status: RESOLVED → REOPENED
Flags: needinfo?(kwilson)
QA Contact: kwilson
Resolution: FIXED → ---

(In reply to Ryan Sleevi from comment #1)

Kathleen: For clarity, this appears to still be cross-signed by a root in the Mozilla program:
https://crt.sh/?id=36251
https://crt.sh/?id=1644
The CCADB disclosures apparently indicate "same as parent", except this is not included in the scope of those audits.

Ryan, Thank you for pointing this out.

Dear Kamo-san,

As you know, we removed the "Security Communication EV RootCA1" root certificate from Mozilla's root store, because it was no longer being audited.

However, this root certificate was cross-signed by the "SECOM Trust.net - Security Communication RootCA1" root certificate that is still included in Mozilla's Root Store.

Therefore, please revoke the following root certificate asap. Otherwise, we need audit statements for it.

https://crt.sh/?id=36251
Subject: OU=Security Communication EV RootCA1; O=SECOM Trust Systems CO.,LTD.; C=JP
Issuer: OU=Security Communication RootCA1; O=SECOM Trust.net; C=JP
Certificate Serial Number: 12B9B0E4
SHA-256 Fingerprint: E5AD411164AF69216B768D5272E564C2A08FFFE20A547065119545AF03BEFEF0

Note: The other cert mentioned in Comment #1 (https://crt.sh/?id=1644) is expired, so no action need for that cert.

I look forward to your prompt response.

Thanks,
Kathleen

Assignee: nobody → h-kamo
Flags: needinfo?(kwilson) → needinfo?(h-kamo)

Dear Kathleen-san,

Thank you for your notice.
We will revoke this certificate upon confirming the revocation procedure carefully.
The target for this is the end of January.

Thank you for your consideration.

Best regards,
Hisashi Kamo

Flags: needinfo?(h-kamo)

(In reply to Kathleen Wilson from comment #2)

please revoke the following root certificate asap. Otherwise, we need audit statements for it.

https://crt.sh/?id=36251
Subject: OU=Security Communication EV RootCA1; O=SECOM Trust Systems CO.,LTD.; C=JP
Issuer: OU=Security Communication RootCA1; O=SECOM Trust.net; C=JP
Certificate Serial Number: 12B9B0E4
SHA-256 Fingerprint: E5AD411164AF69216B768D5272E564C2A08FFFE20A547065119545AF03BEFEF0

I confirm that this certificate has been revoked and is indicated as such in the CCADB.
It will be added to OneCRL as part of our standard CCADB->OneCRL process.

Thanks,
Kathleen

Status: REOPENED → RESOLVED
Closed: 4 years ago3 years ago
Resolution: --- → FIXED

Dear Kathleen-san,

Thank you for your confirmation.
As you described at comment #4, we revoked this certificate and indicated in the CCADB yesterday.

Best regards,
Hisashi Kamo

You need to log in before you can comment on or make changes to this bug.