Closed Bug 1717548 Opened 5 months ago Closed 5 months ago

Add another regenerated version of the Kazakhstan MITM root to OneCRL

Categories

(Core :: Security Block-lists, Allow-lists, and other State, task)

task

Tracking

()

RESOLVED FIXED

People

(Reporter: kwilson, Unassigned)

Details

(Whiteboard: [ca-onecrl] )

Attachments

(1 file)

2.10 KB, application/x-x509-ca-cert
Details
Attached file June2021-ISCA.crt

+++ This bug was initially created as a clone of Bug #1713980 +++

The Kazakhstan government regenerated the root certificate that we added to OneCRL.
https://blog.mozilla.org/netpolicy/2020/12/18/kazakhstan-root-2020/

The certificate for https://check.isca.gov.kz now chains up to the following cert.

https://crt.sh/?id=4739909320

serial number 254498fcaadd96de5181472ed07b163ff79e6ad3
subject /C=KZ/O=ISCA/CN=Information Security Certification Authority
sha1 hash FABDA72FA1F620C160420A496194B61F82A01B4A
sha256 hash 0BD39DE4793CDC117138F47708AA4D583ACF67ADB059A0D91F668D1803BF6489

Please add the regenerated root cert to OneCRL.

Note: I don't know if adding the cert via subject and public key hash would make any difference. If you do, please proceed that way.

Test site shows as revoked as expected, using the staged block.

[16:44:27] Prod-Stage: 1410 Prod-Preview: 1410 Prod-Published: 1409                                                                                                                            compare.py:75
           Verifying stage against preview                                                                                                                                                     compare.py:82
           stage/security-state-staging (1410) and stage/security-state-preview (1410) are equivalent                                                                                          compare.py:87
           stage/security-state-staging (1410) and prod/security-state-staging (1410) are equivalent                                                                                           compare.py:87
           stage/security-state-staging (1410) and prod/security-state-preview (1410) are equivalent                                                                                           compare.py:87
[16:44:28] stage/security-state-preview (1410) and prod/security-state-staging (1410) are equivalent                                                                                           compare.py:87
           stage/security-state-preview (1410) and prod/security-state-preview (1410) are equivalent                                                                                           compare.py:87
           prod/security-state-staging (1410) and prod/security-state-preview (1410) are equivalent                                                                                            compare.py:87
           No changes are waiting in staging                                                                                                                                                   compare.py:90
           There are 1 changes waiting in production. Adding:                                                                                                                                  compare.py:99
{
    'details': {
        'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1717548',
        'who': 'dkeeler@mozilla.com',
        'why': 'Kazakhstan MITM (#7)',
        'name': 'Information Security Certification Authority',
        'created': '2021-06-21T23:32:05Z'
    },
    'enabled': True,
    'issuerName': 'MFMxNTAzBgNVBAMTLEluZm9ybWF0aW9uIFNlY3VyaXR5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQKEwRJU0NBMQswCQYDVQQGEwJLWg==',
    'serialNumber': 'JUSY/Krdlt5RgUcu0HsWP/eeatM='
}
           Staging is updated, and production changes are waiting, so Firefox can use                                                                                                         compare.py:110
           Remote Settings DevTools (https://github.com/mozilla-extensions/remote-settings-devtools)                                                                                                        
           and cert-storage-inspector (https://github.com/mozkeeler/cert-storage-inspector) to test                                                                                                         
           OneCRL.```

Approved at Kinto Production. Thanks!

Verified in my Firefox Nightly profile. Thanks!

Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED

Verified in my Firefox Release profile.

You need to log in before you can comment on or make changes to this bug.