OneCRL entries missing leading 00
Categories
(CA Program :: CA Certificate Root Program, task)
Tracking
(Not tracked)
People
(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)
Details
(Whiteboard: [ca-onecrl])
The following 3 entries in OneCRL are missing the expected leading 00.
Does the Firefox code that uses OneCRL need to have the "00" present? Or absent?
Or can it tolerate the leading 0s being either present or absent?
Does the OneCRL update code need to be fixed to retain the leading 0s?
-
Serial Number in OneCRL: 9898e8
Certificate Serial Number: 009898E8
Certificate: https://crt.sh/?id=6010524
Added to OneCRL via Bug #1678378.
Firefox should recognize that this intermediate certificate is revoked. So if Firefox does not handle the missing 00, then this entry in OneCRL needs to be fixed -- incorrect entry removed, and correct entry with the leading 00 added. -
Serial Number in OneCRL: b0f35c09213d3648378f2e48375c5ed9
Added to OneCRL via Bug #1155145.
Signed by: https://crt.sh/?id=1862521 which is itself revoked.
Therefore, this entry should be removed from OneCRL. -
Serial Number in OneCRL: e39288e16231c977cdaddb5d8fb0ba
Added to OneCRL via Bug #1214321#c26.
This entry should be removed from OneCRL, as requested in Bug #1337228 .
|
Assignee | |
Updated•4 years ago
|
|
||
Comment 1•4 years ago
|
||
(In reply to Kathleen Wilson from comment #0)
The following 3 entries in OneCRL are missing the expected leading 00.
Does the Firefox code that uses OneCRL need to have the "00" present? Or absent?
Or can it tolerate the leading 0s being either present or absent?
Firefox needs the contents of the serials to be identical to how they appear in the certificates in question. So, if the certificate has a leading "00", it must be in the OneCRL entry.
Does the OneCRL update code need to be fixed to retain the leading 0s?
- Serial Number in OneCRL: 9898e8
Certificate Serial Number: 009898E8
Certificate: https://crt.sh/?id=6010524
Added to OneCRL via Bug #1678378.
Firefox should recognize that this intermediate certificate is revoked. So if Firefox does not handle the missing 00, then this entry in OneCRL needs to be fixed -- incorrect entry removed, and correct entry with the leading 00 added.
This will need to be updated in OneCRL.
- Serial Number in OneCRL: b0f35c09213d3648378f2e48375c5ed9
Added to OneCRL via Bug #1155145.
Signed by: https://crt.sh/?id=1862521 which is itself revoked.
Therefore, this entry should be removed from OneCRL.
This can be removed.
- Serial Number in OneCRL: e39288e16231c977cdaddb5d8fb0ba
Added to OneCRL via Bug #1214321#c26.
This entry should be removed from OneCRL, as requested in Bug #1337228 .
Let's handle this one as part of that bug.
|
|
||
Comment 2•4 years ago
|
||
[17:14:42] Stage-Stage: 1328 Stage-Preview: 1328 Stage-Published: 1328 compare.py:67
[17:14:43] Prod-Stage: 1328 Prod-Preview: 1328 Prod-Published: 1329 compare.py:75
Verifying stage against preview compare.py:82
stage/security-state-staging (1328) and stage/security-state-preview (1328) are equivalent compare.py:87
stage/security-state-staging (1328) and prod/security-state-staging (1328) are equivalent compare.py:87
stage/security-state-staging (1328) and prod/security-state-preview (1328) are equivalent compare.py:87
stage/security-state-preview (1328) and prod/security-state-staging (1328) are equivalent compare.py:87
stage/security-state-preview (1328) and prod/security-state-preview (1328) are equivalent compare.py:87
prod/security-state-staging (1328) and prod/security-state-preview (1328) are equivalent compare.py:87
No changes are waiting in staging compare.py:90
There are -1 changes waiting in production. Adding: compare.py:99
{
'details': {'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1694779', 'who': '', 'why': '', 'name': '', 'created': '2021-02-25T00:48:11Z'},
'enabled': True,
'issuerName': 'MFgxCzAJBgNVBAYTAk5MMR4wHAYDVQQKDBVTdGFhdCBkZXIgTmVkZXJsYW5kZW4xKTAnBgNVBAMMIFN0YWF0IGRlciBOZWRlcmxhbmRlbiBFViBSb290IENB',
'serialNumber': 'AJiY6A=='
}
Staging is updated, and production changes are waiting, so Firefox can use compare.py:110
Remote Settings DevTools (https://github.com/mozilla-extensions/remote-settings-devtools)
and cert-storage-inspector (https://github.com/mozkeeler/cert-storage-inspector) to test
OneCRL.
|
|
Assignee | |
Comment 3•4 years ago
|
||
I confirm that these updates to OneCRL are now in my Firefox profile. (1 addition, and 2 removals)
Thanks!
|
|
Assignee | |
Comment 4•4 years ago
|
||
I also confirm that these updates to OneCRL are now in my Firefox Release profile.
|
||
Updated•3 years ago
|
Description
•