Closed Bug 1684158 Opened 3 years ago Closed 3 years ago

PKIoverheid: Removal of websites trust bit for "Staat der Nederlanden Root CA – G3"

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: david.weissenberg, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: Websites trust bit disabled in NSS 3.63, Firefox 88)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0

Hi,

As mentioned in Mozilla's Bug 1649964, from February 2021 onwards Logius wants to have public trust in their "Staat der Nederlanden Root CA – G3" removed due to the "Delegated OCSP Responder EKU" non-compliance (section 4.9.9 in Baseline Requirements) and resulting vulnerability. As previously discussed with Ben Wilson via email, Mozilla agreed to resolve this issue by disabling the "websites" trust bit from 1 Februari 2021 onward for our "Staat der Nederlanden Root CA – G3" root. Logius hereby requests Mozilla to make the approppriate changes to the NSS root store.

SHA-256 3C4FB0B95AB8B30032F432B86F535FE172C185D0FD39865837CF36187FA6F428
SHA-1 D8EB6B41519259E0F3E78500C03DB68897C9EEFC
https://crt.sh/?id=8693290

If any additional information is required to implement this change, please let us know.

Logius would like to receive a confirmation when the change is implemented.

Kind regards,

David Weissenberg

Assignee: nobody → kwilson
Status: UNCONFIRMED → ASSIGNED
Type: enhancement → task
Ever confirmed: true

Furthermore we would like to draw your attention to the fact that the email trust bit for the Staat der Nederlanden Root CA – G3 is enabled.
We would like it to stay enabled.

Component: CA Certificates Code → CA Certificate Root Program
QA Contact: kwilson

David, Please confirm which of the following actions should be taken on the 'Staat der Nederlanden Root CA – G3' root:

  1. Turn off the Websites trust bit. This action will cause all certificates issued in this CA hierarchy to not be trusted for SSL/TLS.

or

  1. Set 'Distrust for TLS After' to February 1, 2021. This action will cause certificates issued after February 1 in this CA hierarchy to not be trusted for SSL/TLS. SSL certificates issued before February 1 would continue to still be trusted until they expire or are revoked.
Flags: needinfo?(david.weissenberg)

Hello Kathleen,

We would like to opt for option 1. and would like Mozilla to turn off the website trust bit for the the “Staat der Nederlanden Root CA - G3” with fingerprint: SHA-256 3C4FB0B95AB8B30032F432B86F535FE172C185D0FD39865837CF36187FA6F428.

Flags: needinfo?(david.weissenberg)
Depends on: 1687822

I have filed Bug #1687822 for the code changes in NSS.

Whiteboard: pending NSS code changes
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Whiteboard: pending NSS code changes → Websites trust bit disabled in NSS 3.63, Firefox 88
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.