Closed Bug 1618402 Opened 5 years ago Closed 5 years ago

Symantec root certs - removal and turning off Email trust bit

Categories

(NSS :: CA Certificates Code, enhancement, P1)

Product:
NSS
Component:
CA Certificates Code
Version:
3.54
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: jcj)

References

Details

Attachments

(4 files)

Bug 1618402 - Remove Symantec and VeriSign roots r?KathleenWilson,kjacobs
47 bytes, text/x-phabricator-request
Details | Review
Bug 1618402 - Remove VeriSign CA and associated EgyptTrust distrust entries r?KathleenWilson,kjacobs
47 bytes, text/x-phabricator-request
Details | Review
Bug 1618402 - Disable email trust bit for several Symantec certs r?KathleenWilson,kjacobs
47 bytes, text/x-phabricator-request
Details | Review
Bug 1618402 - June 2020 batch of root changes, NSS_BUILTINS_LIBRARY_VERSION 2.42 r?bbeurdouche
47 bytes, text/x-phabricator-request
Details | Review

As listed below the following Symantec root certificates are either ready to be removed from NSS or have the Email trust bit disabled.

  1. Remove the following root certs.

  • Subject: CN=Symantec Class 2 Public Primary Certification Authority - G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US
    Certificate Serial Number: 34176512403BB756802D80CB7955A61E
    SHA-1 Fingerprint: 6724902E4801B02296401046B4B1672CA975FD2B
    SHA-256 Fingerprint: FE863D0822FE7A2353FA484D5924E875656D3DC9FB58771F6F616F9D571BC592

  • Subject: CN=Symantec Class 1 Public Primary Certification Authority - G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US
    Certificate Serial Number: 216E33A5CBD388A46F2907B4273CC4D8
    SHA-1 Fingerprint: 84F2E3DD83133EA91D19527F02D729BFC15FE667
    SHA-256 Fingerprint: 363F3C849EAB03B0A2A0F636D7B86D04D3AC7FCFE26A0A9121AB9795F6E176DF

  • Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3; OU=VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US
    Certificate Serial Number: 009B7E0649A33E62B9D5EE90487129EF57
    SHA-1 Fingerprint: 132D0D45534B6997CDB2D5C339E25576609B5CC6
    SHA-256 Fingerprint: EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244

  1. Disable the Email trust bit for the following root certs. (i.e. set CKA_TRUST_EMAIL_PROTECTION to CK_TRUST CKT_NSS_MUST_VERIFY_TRUST)

  • Subject: CN=GeoTrust Global CA; O=GeoTrust Inc.; C=US
    Certificate Serial Number: 023456
    SHA-1 Fingerprint: DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
    SHA-256 Fingerprint: FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A

  • Subject: CN=GeoTrust Primary Certification Authority - G2; OU=(c) 2007 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US
    Certificate Serial Number: 3CB2F4480A00E2FEEB243B5E603EC36B
    SHA-1 Fingerprint: 8D1784D537F3037DEC70FE578B519A99E610D7B0
    SHA-256 Fingerprint: 5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766

  • Subject: CN=GeoTrust Primary Certification Authority - G3; OU=(c) 2008 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US
    Certificate Serial Number: 15AC6E9419B2794B41F627A9C3180F1F
    SHA-1 Fingerprint: 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD
    SHA-256 Fingerprint: B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4

  • Subject: CN=GeoTrust Universal CA; O=GeoTrust Inc.; C=US
    Certificate Serial Number: 01
    SHA-1 Fingerprint: E621F3354379059A4B68309D8A2F74221587EC79
    SHA-256 Fingerprint: A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912

  • Subject: CN=GeoTrust Universal CA 2; O=GeoTrust Inc.; C=US
    Certificate Serial Number: 01
    SHA-1 Fingerprint: 379A197B418545350CA60369F33C2EAF474F2079
    SHA-256 Fingerprint: A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B

  • Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4; OU=VeriSign Trust Network, (c) 2007 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US
    Certificate Serial Number: 2F80FE238C0E220F486712289187ACB3
    SHA-1 Fingerprint: 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A
    SHA-256 Fingerprint: 69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79

  • Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5; OU=VeriSign Trust Network, (c) 2006 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US
    Certificate Serial Number: 18DAD19E267DE8BB4A2158CDCC6B3B4A
    SHA-1 Fingerprint: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
    SHA-256 Fingerprint: 9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF

Assignee: nobody → jjones
Severity: normal → S3
Status: NEW → ASSIGNED
Priority: -- → P1
Version: 3.51 → 3.54

Remove the following root certs:

Subject: CN=Symantec Class 2 Public Primary Certification Authority - G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US
Certificate Serial Number: 34176512403BB756802D80CB7955A61E
SHA-1 Fingerprint: 6724902E4801B02296401046B4B1672CA975FD2B
SHA-256 Fingerprint: FE863D0822FE7A2353FA484D5924E875656D3DC9FB58771F6F616F9D571BC592

Subject: CN=Symantec Class 1 Public Primary Certification Authority - G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US
Certificate Serial Number: 216E33A5CBD388A46F2907B4273CC4D8
SHA-1 Fingerprint: 84F2E3DD83133EA91D19527F02D729BFC15FE667
SHA-256 Fingerprint: 363F3C849EAB03B0A2A0F636D7B86D04D3AC7FCFE26A0A9121AB9795F6E176DF

Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G3; OU=VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US
Certificate Serial Number: 009B7E0649A33E62B9D5EE90487129EF57
SHA-1 Fingerprint: 132D0D45534B6997CDB2D5C339E25576609B5CC6
SHA-256 Fingerprint: EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244

These entries were signed by VeriSign Class 3 Public Primary Certification Authority - G3, now removed.

Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use nly",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US

cert 1:
Serial Number:4c:00:36:1b:e5:08:2b:a9:aa:ce:74:0a:05:3e:fb:34
Subject: CN=Egypt Trust Class 3 Managed PKI Enterprise Administrator CA,OU=Terms of use at https://www.egypttrust.com/epository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
Not Valid Before: Sun May 18 00:00:00 2008
Not Valid After : Thu May 17 23:59:59 2018
Fingerprint (MD5): A7:91:05:96:B1:56:01:26:4E:BF:80:80:08:86:1B:4D
Fingerprint (SHA1): 6A:2C:5C:B0:94:D5:E0:B7:57:FB:0F:58:42:AA:C8:13:A5:80:2F:E1

cert 2:
Serial Number:3e:0c:9e:87:69:aa:95:5c:ea:23:d8:45:9e:d4:5b:51
Subject: CN=Egypt Trust Class 3 Managed PKI Operational Administrator CA,OU=Terms of use at https://www.egypttrust.com/epository/rpa (c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
Not Valid Before: Sun May 18 00:00:00 2008
Not Valid After : Thu May 17 23:59:59 2018
Fingerprint (MD5): D0:C3:71:17:3E:39:80:C6:50:4F:04:22:DF:40:E1:34
Fingerprint (SHA1): 9C:65:5E:D5:FA:E3:B8:96:4D:89:72:F6:3A:63:53:59:3F:5E:B4:4E

cert 3:
Issuer: CN=VeriSign Class 3 Public Primary Certification Authority - G3,OU="(c) 1999 VeriSign, Inc. - For authorized use nly",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
Serial Number:12:bd:26:a2:ae:33:c0:7f:24:7b:6a:58:69:f2:0a:76
Subject: CN=Egypt Trust Class 3 Managed PKI SCO Administrator CA,OU=Terms of use at https://www.egypttrust.com/repository/rpa c)08,OU=VeriSign Trust Network,O=Egypt Trust,C=EG
Not Valid Before: Sun May 18 00:00:00 2008
Not Valid After : Thu May 17 23:59:59 2018
Fingerprint (MD5): C2:13:5E:B2:67:8A:5C:F7:91:EF:8F:29:0F:9B:77:6E
Fingerprint (SHA1): 83:23:F1:4F:BC:9F:9B:80:B7:9D:ED:14:CD:01:57:CD:FB:08:95:D2

Depends on D79364

Disable the Email trust bit for the following root certs"

Subject: CN=GeoTrust Global CA; O=GeoTrust Inc.; C=US
Certificate Serial Number: 023456
SHA-1 Fingerprint: DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
SHA-256 Fingerprint: FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A

Subject: CN=GeoTrust Primary Certification Authority - G2; OU=(c) 2007 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US
Certificate Serial Number: 3CB2F4480A00E2FEEB243B5E603EC36B
SHA-1 Fingerprint: 8D1784D537F3037DEC70FE578B519A99E610D7B0
SHA-256 Fingerprint: 5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766

Subject: CN=GeoTrust Primary Certification Authority - G3; OU=(c) 2008 GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US
Certificate Serial Number: 15AC6E9419B2794B41F627A9C3180F1F
SHA-1 Fingerprint: 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD
SHA-256 Fingerprint: B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4

Subject: CN=GeoTrust Universal CA; O=GeoTrust Inc.; C=US
Certificate Serial Number: 01
SHA-1 Fingerprint: E621F3354379059A4B68309D8A2F74221587EC79
SHA-256 Fingerprint: A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912

Subject: CN=GeoTrust Universal CA 2; O=GeoTrust Inc.; C=US
Certificate Serial Number: 01
SHA-1 Fingerprint: 379A197B418545350CA60369F33C2EAF474F2079
SHA-256 Fingerprint: A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B

Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G4; OU=VeriSign Trust Network, (c) 2007 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US
Certificate Serial Number: 2F80FE238C0E220F486712289187ACB3
SHA-1 Fingerprint: 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A
SHA-256 Fingerprint: 69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79

Subject: CN=VeriSign Class 3 Public Primary Certification Authority - G5; OU=VeriSign Trust Network, (c) 2006 VeriSign, Inc. - For authorized use only; O=VeriSign, Inc.; C=US
Certificate Serial Number: 18DAD19E267DE8BB4A2158CDCC6B3B4A
SHA-1 Fingerprint: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
SHA-256 Fingerprint: 9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF

Depends on D79365

All changes:

Bug 1618402 - Remove 3 Symantec roots and disable Email trust bit for others
Bug 1621151 - Disable Email trust bit for GRCA root
Bug 1639987 - Remove expired Staat der Nederlanden Root CA - G2 root cert
Bug 1641718 - Remove "LuxTrust Global Root 2" root cert
Bug 1641716 - Add Microsoft's non-EV roots
Bug 1645174 - Add Microsec's "e-Szigno Root CA 2017" root cert
Bug 1645186 - Add "certSIGN Root CA G2" root cert
Bug 1645199 - Remove Expired AddTrust root certs

Depends on D79373

Attachment #9156085 - Attachment description: Bug 1618402 - Remove EgyptTrust distrust entries r?KathleenWilson,kjacobs → Bug 1618402 - Remove VeriSign CA and associated EgyptTrust distrust entries r?KathleenWilson,kjacobs
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: