Enable GlobalSign Root CA - R6 for EV in PSM

RESOLVED FIXED in Firefox 64

Status

()

enhancement
P1
normal
RESOLVED FIXED
Last year
9 months ago

People

(Reporter: kwilson, Assigned: keeler)

Tracking

63 Branch
mozilla64
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox63 wontfix, firefox64 fixed)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 attachment)

Per bug #1390803 the request from GlobalSign has been approved to enable the following root certificate for EV use. Please make the corresponding changes to PSM.

Friendly Name: GlobalSign Root CA - R6
SHA-1 Fingerprint: 8094640EB5A7A1CA119C1FDDD59F810263A7FBD1
SHA-256 Fingerprint: 2CABEAFE37D06CA22ABA7391C0033D25982952C453647349763A3AB5AD6CCF69
EV Policy OID: 2.23.140.1.1
Test URL: https://valid.r6.roots.globalsign.com/
Assignee: nobody → dkeeler
Whiteboard: [psm-assigned]
Julie,

Please confirm that we should use the GlobalSign EV OID (1.3.6.1.4.1.4146.1.1) instead of the CAB Forum EV OID (2.23.140.1.1) for enabling EV treatment for this "GlobalSign Root CA - R6" root.

Background:
Dana ran into a problem when adding EV treatment for GlobalSign Root CA - R6. If we want this root to be authoritative for the EV Policy OID 2.23.140.1.1, any end-entities GlobalSign issues will have to list that OID first -- which is not what we're seeing with the test site valid.r6.roots.globalsign.com. 
If the certificate verifier finds the GlobalSign EV OID (1.3.6.1.4.1.4146.1.1) first, it'll try to use that OID since we already have GlobalSign roots that are authoritative for it. That won't work of we've used 2.23.140.1.1 for this root -- it'll fall back to DV.
So we believe we should make this root authoritative for the GlobalSign EV OID.
Flags: needinfo?(julie.olson)
Julie,
It sounds like there is another option... to change all GlobalSign roots to use the CABF EV OID in Firefox. However, this will only work if all existing GlobalSign EV certs contain the CABF EV OID (in addition to the GlobalSign EV OID).
Hi Kathleen,

All of our active SSL EV certificates have both the GlobalSign and CA/BF OID. We will make sure to flip the OID order moving forward so the CA/BF one goes first.

Thanks,
Julie.
Flags: needinfo?(julie.olson)
Julie, Do all of GlobalSign's EV intermediate certificates have the CABF EV Policy OID or the AnyPolicy OID?
If yes, then when we add EV treatment for this root, we will change all GlobalSign occurrences in ExtendedValidation.cpp to use the CABF EV OID.
Hi Kathleen,

Sorry, yes, all of those certificates have the CABF EV Policy OID.

Thanks,
Julie.
This patch also switches all GlobalSign EV roots to using the CA/Browser Forum
EV policy OID.
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7381bd2bb8eb
enable GlobalSign Root CA - R6 for EV in PSM r=franziskus
https://hg.mozilla.org/mozilla-central/rev/7381bd2bb8eb
Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
Julie, this change is now available in Firefox Nightly. I have tested and verified EV treatment for a couple test websites, and it looks good. Please perform additional testing.

https://download.mozilla.org/?product=firefox-nightly-latest-ssl&os=osx&lang=en-US

Thanks,
Kathleen
You need to log in before you can comment on or make changes to this bug.