Closed Bug 1418678 Opened 8 years ago Closed 8 years ago

Add Certum CA Root certificate back to NSS (revert removal) with only Email trust bit set

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.34.1

People

(Reporter: kathleen.a.wilson, Assigned: KaiE)

References

Details

Attachments

(1 file)

1418678.patch
6.75 KB, patch
kathleen.a.wilson
: review+
Details | Diff | Splinter Review
In Bug #1400030 I had the following root certificate removed from NSS, because there are no SHA-2 subCAs under this root, and Firefox no longer accepts SHA-1 certs. Common Name: Certum CA Issuer Organization: Unizeto Sp. z o.o. SHA-256 Fingerprint: D8:E0:FE:BC:1D:B2:E3:8D:00:94:0F:37:D2:7D:41:34:4D:99:3E:73:4B:99:D5:65:6D:97:78:D4:D8:14:36:24 However, the CA has requested that this root certificate be added back to NSS with only the Email trust bit set. From the CA: " Many of our customers use Thunderbird and installing Root CA manually would be not acceptable. Moreover Certum CA root has been audited this year to show that we maintain the expected level of services and also to permit Certum CA to issue SHA1 S/MIME certificates (that are not within the scope of the Baseline Requirements). Although S/MIME certificates are in scope of Mozilla Root Policy, I do not see that Certum CA does not comply with the requirements of this policy." Indeed, the CA is correct, that this is OK according to Mozilla's Root Store Policy: https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy#sha-1 Therefore, please add this root certificate back to the next version of NSS, with only the email trust bit set. This should be sufficient, because Thunderbird uses ESR, which is not picking up the changes in Firefox 58. Thunderbird will be picking up the changes in Firefox 59, so we would like to have this root added back to NSS in Firefox 59. https://wiki.mozilla.org/RapidRelease/Calendar -----BEGIN CERTIFICATE----- MIIDDDCCAfSgAwIBAgIDAQAgMA0GCSqGSIb3DQEBBQUAMD4xCzAJBgNVBAYTAlBM MRswGQYDVQQKExJVbml6ZXRvIFNwLiB6IG8uby4xEjAQBgNVBAMTCUNlcnR1bSBD QTAeFw0wMjA2MTExMDQ2MzlaFw0yNzA2MTExMDQ2MzlaMD4xCzAJBgNVBAYTAlBM MRswGQYDVQQKExJVbml6ZXRvIFNwLiB6IG8uby4xEjAQBgNVBAMTCUNlcnR1bSBD QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM6xwS7TT3zNJc4YPk/E jG+AanPIW1H4m9LcuwBcsaD8dQPugfCI7iNS6eYVM42sLQnFdvkrOYCJ5JdLkKWo ePhzQ3ukYbDYWMzhbGZ+nPMJXlVjhNWo7/OxLjBos8Q82KxujZlakE403Daaj4GI ULdtlkIJ89eVgw1BS7Bqa/j8D35in2fE7SZfECYPCE/wpFcozo+47UX2bu4lXapu Ob7kky/ZR6By6/qmW6/KUz/iDsaWVhFu9+lmqSbYf5VT7QqFiLpPKaVCjF62/IUg AKpoC6EahQGcxEZjgoi2IrHu/qpGWX7PNSzVttpd90gzFFS269lvzs2I1qsb2pY7 HVkCAwEAAaMTMBEwDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEA uI3O7+cUus/usESSbLQ5PqKEbq24IXfS1HeCh+YgQYHu4vgRt2PRFze+GXYkHAQa TOs9qmdvLdTN/mUxcMUbpgIKumB7bVjCmkn+YzILa+M6wKyrO7Do0wlRjBCDxjTg xSvgGrZgFCdsMneMvLJymM/NzD+5yCRCFNZX/OYmQ6kd5YCQzgNUKD73P9P4Te1q CjqTE5s7FCMTY5w/0YcneeVMUeMBrYVdGjux1XMQpNPyvG5k9VpWkKjHDkx0Dy5x O/fIR/RpbxXyEV6DHpx8Uq79AtoSqFlnGNu8cN2bsWntgM6JQEhqDjXKKWYVIZQs 6GAqm4VKQPNriiTsBhYscw== -----END CERTIFICATE-----
Arkadiusz, please confirm that the data in this bug is correct, by adding a comment to it.
Flags: needinfo?(arkadiusz.lawniczak)
It's trust that Thunderbird as distributed by Mozilla wouldn't pick up the removal until version 59. However, on Linux distributions, the CA list is distributed separately, and may get updated with every update to Firefox. As a result, Linux distributions might effectively pick up the removal at the time Firefox 58 is shipped, and effectively remove it for Thunderbird, too. If we wanted to avoid this disadvantage for Thunderbird users on Linux, we'd have to ensure that we fix this bug for Firefox 58.
(In reply to Kai Engert (:kaie:) from comment #2) > It's trust that Thunderbird as distributed by Mozilla wouldn't pick up the > removal until version 59. It's "true"
The easiest approach to "undo" the removal, is to simply revert the portion of the removal commit, https://hg.mozilla.org/projects/nss/rev/946f134980f3 and make the trust flag adjustment.
Attached patch 1418678.patchSplinter Review
Assignee: nobody → kaie
Attachment #8930896 - Flags: review?(kwilson)
Blocks: 1419760
Depends on: 1419763
Comment on attachment 8930896 [details] [diff] [review] 1418678.patch Looks good -- undoes the removal of the Certum CA root cert, and removes the Websites trust bit. Thanks!
Attachment #8930896 - Flags: review?(kwilson) → review+
Summary: Add Certum CA Root certificate back to NSS with only Email trust bit set → Add Certum CA Root certificate back to NSS (revert removal) with only Email trust bit set
https://hg.mozilla.org/projects/nss/rev/960855ae9834
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.35
Clearing the NeedInfo for Arkadiusz, since we are just reverting the removal change (from Bug# 1400030), and I have verified the diff. So, we're all set.
Flags: needinfo?(arkadiusz.lawniczak)
Target Milestone: 3.35 → 3.34.1
I have confirmed that this root is in Firefox 58.0b9 with only the Email trust bit enabled. Thanks!
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: