Closed Bug 1574670 Opened 4 years ago Closed 4 years ago

Remove Expired root certificates - Class 2 Primary, UTN-USERFirst-Client, Deutsche Telekom Root CA 2

Categories

(NSS :: CA Certificates Code, task, P1)

Product:
NSS
Component:
CA Certificates Code
Version:
3.46
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kwilson, Assigned: marcus.apb)

References

Details

Attachments

(1 file)

Bug 1574670 - Remove Expired root certificates - Class 2 Primary, UTN-USERFirst-Client, Deutsche Telekom Root CA 2. r=jcj
47 bytes, text/x-phabricator-request
Details | Review

The following root certificates have expired, so can be removed from NSS.

CN = Class 2 Primary CA
SHA-256 Fingerprint: 0F993C8AEF97BAAF5687140ED59AD1821BB4AFACF0AA9A58B5D57A338A3AFBCB
SHA-1 Fingerprint: 74207441729CDD92EC7931D823108DC28192E2BB
Trust Bits: Email, Websites
Expired on: 7/6/2019
Not EV
Related Bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1465629

CN = UTN-USERFirst-Client Authentication and Email
SHA-256 Fingerprint: 43F257412D440D627476974F877DA8F1FC2444565A367AE60EDDC27A412531AE
SHA-1 Fingerprint: B172B1A56D95F91FE50287E14D37EA6A4463768A
Trust Bits: Email
Expired on: 7/9/2019

CN = Deutsche Telekom Root CA 2
SHA-256 Fingerprint: B6191A50D0C3977F7DA99BCDAAC86A227DAEB9679EC70BA3B0C9D92271C170D3
SHA-1 Fingerprint: 85A408C09C193E5D51587DCDD61330FD8CDE37BF
Trust Bits: Email, Websites
Expired on: 7/9/2019
Not EV

Remi, Please confirm that DocuSign is ready for the expired "Class 2 Primary CA" to be removed from Mozilla's Root Store (NSS).

Flags: needinfo?(remi.pifaut)

Rob, Please confirm that Sectigo is ready for the expired "UTN-USERFirst-Client Authentication and Email" root to be removed from Mozilla's Root Store.

Flags: needinfo?(rob)

Marcus, take this one - we'll land the patch after we get confirmation for the above needinfos (comment 1, comment 2)

Assignee: nobody → marcus.apb
Status: NEW → ASSIGNED
Priority: -- → P1

Arnold, Please confirm that T-Systems is ready for the expired "Deutsche Telekom Root CA 2" root to be removed from Mozilla's Root Store.

Flags: needinfo?(Arnold.Essing)

Hello Kathleen, Yes, T-Systems is ready for the expired "Deutsche Telekom Root CA 2" root to be removed from Mozilla's Root Store.

Flags: needinfo?(Arnold.Essing)

(In reply to Kathleen Wilson from comment #2)

Rob, Please confirm that Sectigo is ready for the expired "UTN-USERFirst-Client Authentication and Email" root to be removed from Mozilla's Root Store.

Hi Kathleen. The primary use case for this root (S/MIME) expects long-term validation of signatures. Does NSS (or Thunderbird) support validation of S/MIME signatures after an end-entity S/MIME certificate has expired? Or after the end-entity and intermediate CA certificates have expired? Or (in this case) after the end-entity, intermediate and root CA certificates have expired?

(If yes to all of those questions, then it would be useful to keep this expired root in the NSS trust list)

Flags: needinfo?(rob)

If any of the involved certificates expire, then NSS and Thunderbird treat the signature as no longer valid. The justification is that revocation checking is no longer possible, because CAs usually stop publishing revocation information after a certificate has expired. If my understanding about availability of revocation information is correct, then keeping the certificate wouldn't have any positive effect on signature status of old emails.

Keywords: checkin-needed

Changing the neadinfo from Remi to Erwann, because I received an email reply saying Remi is OOO until September.

Flags: needinfo?(remi.pifaut) → needinfo?(erwann.abalea)

Bonjour Kathleen,

I confirm that DocuSign France is ready to have the expired root CA "Class 2 Primary CA" removed from NSS.

Flags: needinfo?(erwann.abalea)

(In reply to Kai Engert (:kaie:) from comment #7)

If any of the involved certificates expire, then NSS and Thunderbird treat the signature as no longer valid. The justification is that revocation checking is no longer possible, because CAs usually stop publishing revocation information after a certificate has expired. If my understanding about availability of revocation information is correct, then keeping the certificate wouldn't have any positive effect on signature status of old emails.

Thanks Kai. In that case...

(In reply to Kathleen Wilson from comment #2)

Rob, Please confirm that Sectigo is ready for the expired "UTN-USERFirst-Client Authentication and Email" root to be removed from Mozilla's Root Store.

Kathleen, I confirm that Sectigo is ready for the expired "UTN-USERFirst-Client Authentication and Email" root to be removed from Mozilla's Root Store.

Thanks, Arnold, Erwann, and Rob, for confirming that these expired root certs may be removed from Mozilla's root store.

https://hg.mozilla.org/projects/nss/rev/eeb9a6715a93813f70596f32edc13a6b96c63a4b

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → 3.46
You need to log in before you can comment on or make changes to this bug.