Closed Bug 1688277 Opened 10 months ago Closed 10 months ago

Add the regenerated version of the Kazakhstan MITM root to OneCRL

Categories

(Core :: Security Block-lists, Allow-lists, and other State, task)

task

Tracking

()

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: keeler)

Details

(Keywords: sec-other, Whiteboard: [ca-onecrl] )

Attachments

(1 file)

+++ This bug was initially created as a clone of Bug #1680927 +++

The Kazakhstan government regenerated the root certificate that we added to OneCRL.
https://blog.mozilla.org/netpolicy/2020/12/18/kazakhstan-root-2020/

Please add the regenerated root cert (attached) to OneCRL.

Approved at Kinto Staging.

For reference, the new cert has been added to crt.sh: https://crt.sh/?id=3967758934

Test site shows the root is revoked in staging, as expected.

[15:17:49] Stage-Stage: 1306 Stage-Preview: 1306 Stage-Published: 1306                                                                                                                         compare.py:67
[15:17:50] Prod-Stage: 1306 Prod-Preview: 1306 Prod-Published: 1305                                                                                                                            compare.py:75
           Verifying stage against preview                                                                                                                                                     compare.py:82
           stage/security-state-staging (1306) and stage/security-state-preview (1306) are equivalent                                                                                          compare.py:87
           stage/security-state-staging (1306) and prod/security-state-staging (1306) are equivalent                                                                                           compare.py:87
           stage/security-state-staging (1306) and prod/security-state-preview (1306) are equivalent                                                                                           compare.py:87
           stage/security-state-preview (1306) and prod/security-state-staging (1306) are equivalent                                                                                           compare.py:87
           stage/security-state-preview (1306) and prod/security-state-preview (1306) are equivalent                                                                                           compare.py:87
           prod/security-state-staging (1306) and prod/security-state-preview (1306) are equivalent                                                                                            compare.py:87
           No changes are waiting in staging                                                                                                                                                   compare.py:90
           There are 1 changes waiting in production. Adding:                                                                                                                                  compare.py:99
{
    'details': {
        'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1688277',
        'who': 'dkeeler@mozilla.com',
        'why': 'Kazakhstan MITM (#4)',
        'name': 'Information Security Certification Authority',
        'created': '2021-01-22T20:13:32Z'
    },
    'enabled': True,
    'issuerName': 'MFMxNTAzBgNVBAMTLEluZm9ybWF0aW9uIFNlY3VyaXR5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQKEwRJU0NBMQswCQYDVQQGEwJLWg==',
    'serialNumber': 'e8S4MvOlwiPqsJG22mv4T3ELQkA='
}
           Staging is updated, and production changes are waiting, so Firefox can use                                                                                                         compare.py:110
           Remote Settings DevTools (https://github.com/mozilla-extensions/remote-settings-devtools)                                                                                                        
           and cert-storage-inspector (https://github.com/mozkeeler/cert-storage-inspector) to test                                                                                                         
           OneCRL.

Approved at Kinto Production.

Group: core-security → core-security-release
Type: enhancement → task
Keywords: sec-other

Added to OneCRL.

Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.