Add another regenerated version of the Kazakhstan MITM root to OneCRL
Categories
(Core :: Security Block-lists, Allow-lists, and other State, task)
Tracking
()
People
(Reporter: kathleen.a.wilson, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [ca-onecrl] )
Attachments
(1 file)
|
2.10 KB,
application/x-x509-ca-cert
|
Details |
+++ This bug was initially created as a clone of Bug #1713980 +++
The Kazakhstan government regenerated the root certificate that we added to OneCRL.
https://blog.mozilla.org/netpolicy/2020/12/18/kazakhstan-root-2020/
The certificate for https://check.isca.gov.kz now chains up to the following cert.
serial number 254498fcaadd96de5181472ed07b163ff79e6ad3
subject /C=KZ/O=ISCA/CN=Information Security Certification Authority
sha1 hash FABDA72FA1F620C160420A496194B61F82A01B4A
sha256 hash 0BD39DE4793CDC117138F47708AA4D583ACF67ADB059A0D91F668D1803BF6489
Please add the regenerated root cert to OneCRL.
Note: I don't know if adding the cert via subject and public key hash would make any difference. If you do, please proceed that way.
Test site shows as revoked as expected, using the staged block.
[16:44:27] Prod-Stage: 1410 Prod-Preview: 1410 Prod-Published: 1409 compare.py:75
Verifying stage against preview compare.py:82
stage/security-state-staging (1410) and stage/security-state-preview (1410) are equivalent compare.py:87
stage/security-state-staging (1410) and prod/security-state-staging (1410) are equivalent compare.py:87
stage/security-state-staging (1410) and prod/security-state-preview (1410) are equivalent compare.py:87
[16:44:28] stage/security-state-preview (1410) and prod/security-state-staging (1410) are equivalent compare.py:87
stage/security-state-preview (1410) and prod/security-state-preview (1410) are equivalent compare.py:87
prod/security-state-staging (1410) and prod/security-state-preview (1410) are equivalent compare.py:87
No changes are waiting in staging compare.py:90
There are 1 changes waiting in production. Adding: compare.py:99
{
'details': {
'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1717548',
'who': 'dkeeler@mozilla.com',
'why': 'Kazakhstan MITM (#7)',
'name': 'Information Security Certification Authority',
'created': '2021-06-21T23:32:05Z'
},
'enabled': True,
'issuerName': 'MFMxNTAzBgNVBAMTLEluZm9ybWF0aW9uIFNlY3VyaXR5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQKEwRJU0NBMQswCQYDVQQGEwJLWg==',
'serialNumber': 'JUSY/Krdlt5RgUcu0HsWP/eeatM='
}
Staging is updated, and production changes are waiting, so Firefox can use compare.py:110
Remote Settings DevTools (https://github.com/mozilla-extensions/remote-settings-devtools)
and cert-storage-inspector (https://github.com/mozkeeler/cert-storage-inspector) to test
OneCRL.```
|
Reporter | |
Comment 2•3 years ago
|
||
Approved at Kinto Production. Thanks!
|
|
Reporter | |
Comment 3•3 years ago
|
||
Verified in my Firefox Nightly profile. Thanks!
|
|
Reporter | |
Comment 4•3 years ago
|
||
Verified in my Firefox Release profile.
Description
•