Closed Bug 1668131 Opened 4 years ago Closed 4 years ago

Remove Symantec PCAs from Root Store

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bwilson, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: NSS(Bug #1670769) - NSS 3.60, FF 85)

DigiCert has requested that the following primary root CAs be removed from the Mozilla Root Store:

VeriSign Class 3 Public Primary Certification Authority - G5
o https://crt.sh/?id=93
o Serial number: 18dad19e267de8bb4a2158cdcc6b3b4a
o SHA2 thumbprints:
9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF

thawte Primary Root CA - G3
o https://crt.sh/?id=254193
o Serial number: 600197b746a7eab4b49ad64b2ff790fb
o SHA2 thumbprints:
4B03F45807AD70F21BFC2CAE71C9FDE4604C064CF5FFB686BAE5DBAAD7FDD34C

thawte Primary Root CA
o https://crt.sh/?id=30
o Serial number: 344ed55720d5edec49f42fce37db2b6d
o SHA2 thumbprints:
8D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F

GeoTrust Primary Certification Authority
o https://crt.sh/?id=4350
o Serial number: 18acb56afd69b6153a636cafdafac4a1
o SHA2 thumbprints:
37D51006C512EAAB626421F1EC8C92013FC5F82AE98EE533EB4619B8DEB4D06C

I will add this to our next batch of root changes, which will probably go into NSS in December.

Assignee: bwilson → kwilson

DigiCert sent email requesting that the following root certs be removed.

GeoTrust Global CA
https://crt.sh/?id=17
Serial number: 023456
SHA2 thumbprint: FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A
Mozilla Trust Bits: Websites
Not EV
Distrust for TLS After Date: 1/1/2020

GeoTrust Primary Certification Authority
https://crt.sh/?id=4350
Serial number: 18ACB56AFD69B6153A636CAFDAFAC4A1
SHA2 thumbprint: 37D51006C512EAAB626421F1EC8C92013FC5F82AE98EE533EB4619B8DEB4D06C
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 1.3.6.1.4.1.14370.1.6
Distrust for TLS After Date: 4/30/2019

GeoTrust Primary Certification Authority - G3
https://crt.sh/?id=847444
Serial number: 15AC6E9419B2794B41F627A9C3180F1F
SHA2 thumbprint: B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 1.3.6.1.4.1.14370.1.6
Distrust for TLS After Date: 4/30/2019

thawte Primary Root CA
https://crt.sh/?id=30
Serial number: 344ED55720D5EDEC49F42FCE37DB2B6D
SHA2 thumbprint: 8D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 2.16.840.1.113733.1.7.48.1
Distrust for TLS After Date: 4/30/2019

thawte Primary Root CA - G3
https://crt.sh/?id=254193
Serial number: 600197B746A7EAB4B49AD64B2FF790FB
SHA2 thumbprint: 4B03F45807AD70F21BFC2CAE71C9FDE4604C064CF5FFB686BAE5DBAAD7FDD34C
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 2.16.840.1.113733.1.7.48.1
Distrust for TLS After Date: 4/30/2019

VeriSign Class 3 Public Primary Certification Authority - G4
https://crt.sh/?id=2771491
Serial number: 2F80FE238C0E220F486712289187ACB3
SHA2 thumbprint: 69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 2.16.840.1.113733.1.7.23.6
Distrust for TLS After Date: 1/31/2019

VeriSign Class 3 Public Primary Certification Authority - G5
https://crt.sh/?id=93
Serial number: 18DAD19E267DE8BB4A2158CDCC6B3B4A
SHA2 thumbprint: 9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF
Mozilla Trust Bits: Websites
Mozilla EV Policy OID: 2.16.840.1.113733.1.7.23.6
Distrust for TLS After Date: 4/30/2019

thawte Primary Root CA - G2
https://crt.sh/?id=3382830
Serial number: 35FC265CD9844FC93D263D579BAED756
SHA2 thumbprint: A4310D50AF18A6447190372A86AFAF8B951FFB431D837F1E5688B45971ED1557
Mozilla Trust Bits: Websites
Not EV
Distrust for TLS After Date: 9/30/2018

GeoTrust Universal CA
https://crt.sh/?id=4174851
Serial number: 01
SHA2 thumbprint: A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912
Mozilla Trust Bits: Websites
Not EV
Distrust for TLS After Date: 9/30/2018

GeoTrust Universal CA 2
https://crt.sh/?id=4175126
Serial number: 01
SHA2 thumbprint: A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B
Mozilla Trust Bits: Websites
Not EV
Distrust for TLS After Date: 1/1/2020

Brenda, Please confirm that the list in Comment #2 is accurate.

Flags: needinfo?(brenda.bernal)

Hi Kathleen, Yes we will confirm and get back to you shortly.

Flags: needinfo?(brenda.bernal)

This bug should probably be moved to the CA Certificates Code component on Bugzilla.

(In reply to Mathew Hodson from comment #5)

This bug should probably be moved to the CA Certificates Code component on Bugzilla.

No. I will open a separate bug for the actual code changes, once this list is finalized. Thanks.

Confirming that above looks good (comment #2).

Depends on: 1670769
Depends on: 1670772
Whiteboard: Pending PSM (Bug #1670772) and NSS(Bug #1670769) code changes
Whiteboard: Pending PSM (Bug #1670772) and NSS(Bug #1670769) code changes → Pending NSS(Bug #1670769) code changes
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Whiteboard: Pending NSS(Bug #1670769) code changes → NSS(Bug #1670769) - NSS 3.60, FF 85
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.