Closed Bug 1709666 Opened 7 months ago Closed 7 months ago

Add another regenerated version of the Kazakhstan MITM root to OneCRL

Categories

(Core :: Security Block-lists, Allow-lists, and other State, task)

task

Tracking

()

RESOLVED FIXED

People

(Reporter: kwilson, Unassigned)

Details

(Whiteboard: [ca-onecrl] )

+++ This bug was initially created as a clone of Bug #1688277 +++

The Kazakhstan government regenerated the root certificate that we added to OneCRL.
https://blog.mozilla.org/netpolicy/2020/12/18/kazakhstan-root-2020/

The certificate for https://check.isca.gov.kz now chains up to https://isca.gov.kz/Information_Security_Certification_Authority_CA_pem.crt with SHA256 fingerprint of 02:30:A6:04:D9:92:20:E5:61:2E:E7:86:2A:B9:F7:A6:E1:8E:4F:1A:C4:C9:E2:70:75:78:8C:C5:22:01:69:AB, issued last week.

The cert is also available here: https://crt.sh/?id=4478765041

Please add the regenerated root cert to OneCRL.

Test site https://check.isca.gov.kz/ shows revoked as expected.

[09:27:54] Prod-Stage: 1346 Prod-Preview: 1346 Prod-Published: 1345                                                                                                                            compare.py:75
           Verifying stage against preview                                                                                                                                                     compare.py:82
           stage/security-state-staging (1346) and stage/security-state-preview (1346) are equivalent                                                                                          compare.py:87
           stage/security-state-staging (1346) and prod/security-state-staging (1346) are equivalent                                                                                           compare.py:87
           stage/security-state-staging (1346) and prod/security-state-preview (1346) are equivalent                                                                                           compare.py:87
           stage/security-state-preview (1346) and prod/security-state-staging (1346) are equivalent                                                                                           compare.py:87
[09:27:55] stage/security-state-preview (1346) and prod/security-state-preview (1346) are equivalent                                                                                           compare.py:87
           prod/security-state-staging (1346) and prod/security-state-preview (1346) are equivalent                                                                                            compare.py:87
           No changes are waiting in staging                                                                                                                                                   compare.py:90
           There are 1 changes waiting in production. Adding:                                                                                                                                  compare.py:99
{
    'details': {
        'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1709666',
        'who': 'dkeeler@mozilla.com',
        'why': 'Kazakhstan MITM (#5)',
        'name': 'Information Security Certification Authority',
        'created': '2021-05-06T00:05:29Z'
    },
    'enabled': True,
    'issuerName': 'MH0xCzAJBgNVBAYTAktaMRMwEQYDVQQIEwpOdXItU3VsdGFuMRMwEQYDVQQHEwpOdXItU3VsdGFuMQ0wCwYDVQQKEwRJU0NBMTUwMwYDVQQDEyxJbmZvcm1hdGlvbiBTZWN1cml0eSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eQ==',
    'serialNumber': 'IwlJjil8X/4='
}
           Staging is updated, and production changes are waiting, so Firefox can use                                                                                                         compare.py:110
           Remote Settings DevTools (https://github.com/mozilla-extensions/remote-settings-devtools)                                                                                                        
           and cert-storage-inspector (https://github.com/mozkeeler/cert-storage-inspector) to test                                                                                                         
           OneCRL.```

I confirm that this new OneCRL entry is now in my Nightly Firefox profile. Thanks!

Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.