Status

task
P1
normal
RESOLVED FIXED
Last month
12 days ago

People

(Reporter: wayne, Assigned: jcj)

Tracking

3.45

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Reporter

Description

Last month

If kwilson@mozilla.com grants approval, please remove the following root certificate from NSS:

Common Name: Certinomis - Root CA
SHA-1 Fingerprint: 9D70BB01A5A4A018112EF71C01B932C534E788A8
SHA-256 Fingerprint: 2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158
Trust Bits: Websites

  • This root is not enabled for EV treatment

Reason: An issues list [1] and resulting discussion [2] on the mozilla.dev.security.policy list led to this recommendation.

Timing: I recommend that this be handled as part of the normal release process, with the change shipping in Firefox 69.

Impact: 6 Certinomis certificates were identified in a scan of the top 1M websites using TLSCanary. CT Logs detect roughly 2000 unexpired certificates that will be affected by this change [3][4]

[1] https://wiki.mozilla.org/CA/Certinomis_Issues
[2] https://groups.google.com/d/msg/mozilla.dev.security.policy/rmU311hOIIc/36RWof79CgAJ
[3]https://crt.sh/?Identity=%25&iCAID=60397&exclude=expired
[4] https://crt.sh/?Identity=%25&iCAID=1487&exclude=expired

Comment 1

Last month

CT Logs detect roughly 2000 unexpired certificates that will be affected by this change [3][4]

When you de-duplicate certificates and precertificates, and exclude certificates whose OCSP status is revoked or unknown, the number of affected certificates is 1,381 as of 2019-05-13.

Comment 2

24 days ago

(In reply to Wayne Thayer [:wayne] from comment #0)

If kwilson@mozilla.com grants approval, please remove the following root certificate from NSS:

Common Name: Certinomis - Root CA
SHA-1 Fingerprint: 9D70BB01A5A4A018112EF71C01B932C534E788A8
SHA-256 Fingerprint: 2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158
Trust Bits: Websites

  • This root is not enabled for EV treatment

I approve of the removal of the specified root certificate in NSS 3.45 and Firefox 69.

Reference:
https://wiki.mozilla.org/Release_Management/Calendar

Assignee: kwilson → jjones
Target Milestone: --- → 3.45

Updated

24 days ago
Flags: needinfo?(jjones)
Assignee

Updated

19 days ago
Status: NEW → ASSIGNED
Priority: -- → P1
Assignee

Comment 3

16 days ago

Move to root store version 2.34 for NSS 3.45

Common Name: Certinomis - Root CA
SHA-1 Fingerprint: 9D70BB01A5A4A018112EF71C01B932C534E788A8
SHA-256 Fingerprint: 2A99F5BC1174B73CBB1D620884E01C34E51CCB3978DA125F0E33268883BF4158
Trust Bits: Websites

Assignee

Comment 4

16 days ago

Patch posted for review.

Flags: needinfo?(jjones)
Assignee

Comment 5

12 days ago
Status: ASSIGNED → RESOLVED
Closed: 12 days ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.