Closed Bug 1465625 Opened 4 years ago Closed 3 years ago

Turn off Websites trust bit for OpenTrust and Certplus root certs

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: kwilson)

References

Details

(Whiteboard: Websites trust bit turned off in NSS 3.39, Firefox 63)

Per https://bugzilla.mozilla.org/show_bug.cgi?id=1025095#c54

The CA has requested the following.
~~
Bonjour,

We want to remove the Trust Bit "Websites" for these 5 root CAs, repeated below:

OpenTrust Root CA G1
SHA1 fingerprint: 7991e834f7e2eedd08950152e9552d14e958d57e

OpenTrust Root CA G2
SHA1 fingerprint: 795f8860c5ab7c3d92e6cbf48de145cd11ef600b

OpenTrust Root CA G3
SHA1 fingerprint: 6e2664f356bf3455bfd1933f7c01ded813da8aa6

Certplus Root CA G1
SHA1 fingerprint: 22fdd0b7fda24e0dac492ca0aca67b6a1fe3f766

Certplus Root CA G2
SHA1 fingerprint: 4f658e1fe906d82802e9544741c954255d69cc1a
~~
Erwann,

Please clarify the following:

1) Is there urgency (e.g. security concern) regarding removal of the Websites trust bit for any of these roots?

2) Will you be getting BR and EV audit statements for these roots and their hierarchies this year?

3) When do the last SSL certs chaining up to these roots expire?

4) How significant will the impact be for your customers if we remove the Websites trust bit before such certs expire?

5) What date would you prefer to have EV treatment disabled for these roots?

6) What date would you prefer to have SSL certs chaining up to these roots stop being trusted in NSS and Firefox?
Blocks: 1465629
No longer blocks: 1465629
Flags: needinfo?(erwann.abalea)
Bonjour,

(In reply to Kathleen Wilson from comment #1)
> Erwann,
> 
> Please clarify the following:
> 
> 1) Is there urgency (e.g. security concern) regarding removal of the
> Websites trust bit for any of these roots?

There is no urgency, just an end-of-life of the TLS certificates offer on our side.

> 2) Will you be getting BR and EV audit statements for these roots and their
> hierarchies this year?

No.

> 3) When do the last SSL certs chaining up to these roots expire?

Those roots haven't been used to issue TLS certificates.

> 4) How significant will the impact be for your customers if we remove the
> Websites trust bit before such certs expire?

No impact.

> 5) What date would you prefer to have EV treatment disabled for these roots?

The sooner the better.

> 6) What date would you prefer to have SSL certs chaining up to these roots
> stop being trusted in NSS and Firefox?

The sooner the better.
Flags: needinfo?(erwann.abalea)
Depends on: 1476473
The code changes for request should be in the July/August batch of root changes, which is planned for NSS 3.39, and Firefox 63.
https://wiki.mozilla.org/NSS:Release_Versions
https://wiki.mozilla.org/Release_Management/Calendar

The request is to turn off the Websites trust bit for the following 5 root certificates.

CN=OpenTrust Root CA G1; O=OpenTrust; C=FR
SHA-1 Fingerprint: 7991E834F7E2EEDD08950152E9552D14E958D57E
SHA-256 Fingerprint: 56C77128D98C18D91B4CFDFFBC25EE9103D4758EA2ABAD826A90F3457D460EB4

CN=OpenTrust Root CA G2; O=OpenTrust; C=FR
SHA-1 Fingerprint: 795F8860C5AB7C3D92E6CBF48DE145CD11EF600B
SHA-256 Fingerprint: 27995829FE6A7515C1BFE848F9C4761DB16C225929257BF40D0894F29EA8BAF2

CN=OpenTrust Root CA G3; O=OpenTrust; C=FR
SHA-1 Fingerprint: 6E2664F356BF3455BFD1933F7C01DED813DA8AA6
SHA-256 Fingerprint: B7C36231706E81078C367CB896198F1E3208DD926949DD8F5709A410F75B6292

CN=Certplus Root CA G1; O=Certplus; C=FR
SHA-1 Fingerprint: 22FDD0B7FDA24E0DAC492CA0ACA67B6A1FE3F766
SHA-256 Fingerprint: 152A402BFCDF2CD548054D2275B39C7FCA3EC0978078B0F0EA76E561A6C7433E

CN=Certplus Root CA G2; O=Certplus; C=FR
SHA-1 Fingerprint: 4F658E1FE906D82802E9544741C954255D69CC1A
SHA-256 Fingerprint: 6CC05041E6445E74696C4CFBC9F80F543B7EABBB44B4CE6F787C6A9971C42F17
Depends on: 1478638
The test build is available here:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=b995d66b28d86bfb0ad5d97c07570c7d940af9a3

I have already tested and confirmed the changes, but you may test the changes as described here:
https://wiki.mozilla.org/CA/Application_Instructions#Test
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Whiteboard: Websites trust bit turned off in NSS 3.39, Firefox 63
You need to log in before you can comment on or make changes to this bug.