PKIoverheid: Removal of websites trust bit for "Staat der Nederlanden Root CA – G3"
Categories
(CA Program :: CA Certificate Root Program, task)
Tracking
(Not tracked)
People
(Reporter: david.weissenberg, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: Websites trust bit disabled in NSS 3.63, Firefox 88)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0
Reporter | ||
Comment 1•3 years ago
|
||
Hi,
As mentioned in Mozilla's Bug 1649964, from February 2021 onwards Logius wants to have public trust in their "Staat der Nederlanden Root CA – G3" removed due to the "Delegated OCSP Responder EKU" non-compliance (section 4.9.9 in Baseline Requirements) and resulting vulnerability. As previously discussed with Ben Wilson via email, Mozilla agreed to resolve this issue by disabling the "websites" trust bit from 1 Februari 2021 onward for our "Staat der Nederlanden Root CA – G3" root. Logius hereby requests Mozilla to make the approppriate changes to the NSS root store.
SHA-256 3C4FB0B95AB8B30032F432B86F535FE172C185D0FD39865837CF36187FA6F428
SHA-1 D8EB6B41519259E0F3E78500C03DB68897C9EEFC
https://crt.sh/?id=8693290
If any additional information is required to implement this change, please let us know.
Logius would like to receive a confirmation when the change is implemented.
Kind regards,
David Weissenberg
Updated•3 years ago
|
Reporter | ||
Comment 2•3 years ago
|
||
Furthermore we would like to draw your attention to the fact that the email trust bit for the Staat der Nederlanden Root CA – G3 is enabled.
We would like it to stay enabled.
Assignee | ||
Updated•3 years ago
|
Assignee | ||
Comment 3•3 years ago
|
||
David, Please confirm which of the following actions should be taken on the 'Staat der Nederlanden Root CA – G3' root:
- Turn off the Websites trust bit. This action will cause all certificates issued in this CA hierarchy to not be trusted for SSL/TLS.
or
- Set 'Distrust for TLS After' to February 1, 2021. This action will cause certificates issued after February 1 in this CA hierarchy to not be trusted for SSL/TLS. SSL certificates issued before February 1 would continue to still be trusted until they expire or are revoked.
Reporter | ||
Comment 4•3 years ago
|
||
Hello Kathleen,
We would like to opt for option 1. and would like Mozilla to turn off the website trust bit for the the “Staat der Nederlanden Root CA - G3” with fingerprint: SHA-256 3C4FB0B95AB8B30032F432B86F535FE172C185D0FD39865837CF36187FA6F428.
Assignee | ||
Comment 5•3 years ago
|
||
I have filed Bug #1687822 for the code changes in NSS.
Assignee | ||
Updated•3 years ago
|
Updated•1 year ago
|
Description
•