Add another regenerated version of the Kazakhstan MITM root to OneCRL
Categories
(Core :: Security Block-lists, Allow-lists, and other State, task)
Tracking
()
People
(Reporter: kathleen.a.wilson, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [ca-onecrl] )
Attachments
(1 file)
|
2.10 KB,
application/x-x509-ca-cert
|
Details |
+++ This bug was initially created as a clone of Bug #1709666 +++
The Kazakhstan government regenerated the root certificate that we added to OneCRL.
https://blog.mozilla.org/netpolicy/2020/12/18/kazakhstan-root-2020/
The certificate for https://check.isca.gov.kz now chains up to the following cert, which is attached.
serial number 5877d30c6f0f3c367f8c34f286fda52843bbb9f3
subject /C=KZ/O=ISCA/CN=Information Security Certification Authority
not before 2020-02-28T06:30:37Z
not after 2040-02-28T06:30:37Z
sha1 hash BD36C412740F799DAD39E9A6450DDCCD099E93D9
sha256 hash 06FD20629C143B9EAB28D2799CAEFC5D23FDE267D16C631E3F5B8B4BAB3F68E6
Please add the regenerated root cert to OneCRL.
The cert is also available here: https://crt.sh/?id=4633597326
|
Reporter | |
Comment 1•3 years ago
|
||
Verified and approved in Kinto staging.
Test site https://check.isca.gov.kz/ shows revoked as expected.
[13:07:42] Stage-Stage: 1347 Stage-Preview: 1347 Stage-Published: 1347 compare.py:67
[13:07:43] Prod-Stage: 1347 Prod-Preview: 1347 Prod-Published: 1346 compare.py:75
Verifying stage against preview compare.py:82
stage/security-state-staging (1347) and stage/security-state-preview (1347) are equivalent compare.py:87
stage/security-state-staging (1347) and prod/security-state-staging (1347) are equivalent compare.py:87
stage/security-state-staging (1347) and prod/security-state-preview (1347) are equivalent compare.py:87
stage/security-state-preview (1347) and prod/security-state-staging (1347) are equivalent compare.py:87
stage/security-state-preview (1347) and prod/security-state-preview (1347) are equivalent compare.py:87
prod/security-state-staging (1347) and prod/security-state-preview (1347) are equivalent compare.py:87
[13:07:44] No changes are waiting in staging compare.py:90
There are 1 changes waiting in production. Adding: compare.py:99
{
'details': {
'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1713980',
'who': 'dkeeler@mozilla.com',
'why': 'Kazakhstan MITM (#6)',
'name': 'Information Security Certification Authority',
'created': '2021-06-02T19:29:08Z'
},
'enabled': True,
'issuerName': 'MFMxNTAzBgNVBAMTLEluZm9ybWF0aW9uIFNlY3VyaXR5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQKEwRJU0NBMQswCQYDVQQGEwJLWg==',
'serialNumber': 'WHfTDG8PPDZ/jDTyhv2lKEO7ufM='
}
Staging is updated, and production changes are waiting, so Firefox can use compare.py:110
Remote Settings DevTools (https://github.com/mozilla-extensions/remote-settings-devtools)
and cert-storage-inspector (https://github.com/mozkeeler/cert-storage-inspector) to test
OneCRL.
|
|
Reporter | |
Comment 3•3 years ago
|
||
Approved at Kinto Production. Thanks!
|
|
Reporter | |
Comment 4•3 years ago
|
||
Verified in my Firefox nightly and release profiles. Thanks!
Description
•