Add another regenerated version of the Kazakhstan MITM root to OneCRL
Categories
(Core :: Security Block-lists, Allow-lists, and other State, task)
Tracking
()
People
(Reporter: kathleen.a.wilson, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [ca-onecrl] )
Attachments
(1 file)
|
2.14 KB,
application/x-x509-ca-cert
|
Details |
+++ This bug was initially created as a clone of Bug #1717548 +++
https://isca.gov.kz/Information_Security_Certification_Authority_CA_pem.crt has changed again, so please add the new cert to OneCRL.
serial number 1089fc3f19c903f3839bcf70b97dc7cfaad3d4dd
subject /C=KZ/O=ISCA/CN=Information Security Certification Authority
not before 2020-02-28T06:48:23Z
not after 2040-02-28T06:48:23Z
sha1 hash A02F7A63A91F871029613AE880875FDC867BD03F
sha256 hash C95C133B68319EE516B5F41E377F589878AF1556567CC2834EF03B1D10830FD3
How about if we block it by subject and public key hash this time?
Would that make it so we don't have to add every single one?
|
Reporter | |
Comment 1•4 years ago
|
||
|
||
Comment 2•4 years ago
|
||
They seem to be changing the key each time, so blocking by public key hash won't work, unfortunately.
|
|
Reporter | |
Comment 3•4 years ago
|
||
Reviewed and approved in Kinto Staging.
Please proceed with testing or using remote-settings-devtools in a development profile to confirm the OneCRL data in Staging Nightly is as intended.
And please run the onecrl-entry-checker tool and provide the output in this bug.
Thanks!
|
|
||
Comment 4•4 years ago
|
||
Test site shows as revoked as expected, using the staged block.
[14:27:10] Stage-Stage: 1411 Stage-Preview: 1411 Stage-Published: 1411 compare.py:67
[14:27:11] Prod-Stage: 1411 Prod-Preview: 1411 Prod-Published: 1410 compare.py:75
Verifying stage against preview compare.py:82
stage/security-state-staging (1411) and stage/security-state-preview (1411) are equivalent compare.py:87
stage/security-state-staging (1411) and prod/security-state-staging (1411) are equivalent compare.py:87
stage/security-state-staging (1411) and prod/security-state-preview (1411) are equivalent compare.py:87
stage/security-state-preview (1411) and prod/security-state-staging (1411) are equivalent compare.py:87
stage/security-state-preview (1411) and prod/security-state-preview (1411) are equivalent compare.py:87
[14:27:12] prod/security-state-staging (1411) and prod/security-state-preview (1411) are equivalent compare.py:87
No changes are waiting in staging compare.py:90
There are 1 changes waiting in production. Adding: compare.py:99
{
'details': {
'bug': 'https://bugzilla.mozilla.org/show_bug.cgi?id=1719704',
'who': 'dkeeler@mozilla.com',
'why': 'Kazakhstan MITM (#8)',
'name': 'Information Security Certification Authority',
'created': '2021-07-08T19:58:35Z'
},
'enabled': True,
'issuerName': 'MFMxNTAzBgNVBAMTLEluZm9ybWF0aW9uIFNlY3VyaXR5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MQ0wCwYDVQQKEwRJU0NBMQswCQYDVQQGEwJLWg==',
'serialNumber': 'EIn8PxnJA/ODm89wuX3Hz6rT1N0='
}
Staging is updated, and production changes are waiting, so Firefox can use compare.py:110
Remote Settings DevTools (https://github.com/mozilla-extensions/remote-settings-devtools)
and cert-storage-inspector (https://github.com/mozkeeler/cert-storage-inspector) to test
OneCRL.
|
|
Reporter | |
Comment 5•4 years ago
|
||
Approved at Kinto Production. Thanks!
|
|
Reporter | |
Comment 6•4 years ago
|
||
Verified in my Firefox Nightly and Release profiles.
Description
•