Closed Bug 1741932 Opened 4 years ago Closed 4 years ago

Enable EV Treatment for the renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert

Categories

(Core :: Security: PSM, task)

Product:
Core
Component:
Security: PSM
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
97 Branch
Tracking Flags:
Tracking Status
firefox97 --- fixed

People

(Reporter: kathleen.a.wilson, Assigned: jschanck)

References

Details

(Whiteboard: [psm-blocked] December 2021 Batch of EV Changes )

Attachments

(1 file)

Bug 1741932 - Enable EV Treatment for the renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert. r=keeler
48 bytes, text/x-phabricator-request
Details | Review

Per bug #1102143 the request from Autoridad de Certificacion Firmaprofesional has been approved to enable the following root certificate for EV use. Please make the corresponding changes to PSM.

Friendly Name: Autoridad de Certificacion Firmaprofesional CIF A62634068
SHA-1 Fingerprint: 0BBEC2272249CB39AADB355C53E38CAE78FFB6FE
SHA-256 Fingerprint: 57DE0583EFD2B26E0361DA99DA9DF4648DEF7EE8441C3B728AFA9BCDE0F9B26A
EV Policy OID: 2.23.140.1.1
Test URL: https://testsslev2021.firmaprofesional.com

NOTE: Bug #1741930 must be completed (the cert added to NSS), before this EV-enablement may be implemented.

Chema,

Mozilla is moving towards only using the CA/Browser Forum EV Policy OID, rather than CA-specific EV Policy OIDs.
However, this CCADB Root Inclusion Case said to use 1.3.6.1.4.1.13177.10.1.3.10 as the EV Policy OID.

I ran https://tls-observatory.services.mozilla.com/static/ev-checker.html
with the new cert and
https://testsslev2021.firmaprofesional.com
and EV Policy OID 2.23.140.1.1

And it returned: ev-checker exited successfully: Success!

So I will update the root inclusion Case in the CCADB to have the EV Policy OID 2.23.140.1.1.

Please confirm that the CAB Forum EV OID (2.23.140.1.1) will always be the first EV OID found in the certificatePolicies extension of the end-entity certificate, as per https://wiki.mozilla.org/CA/EV_Processing_for_CAs#First_OID.

Flags: needinfo?(clopez)

Thanks. Kathleen.

Yes, we confirm that the CAB Forum EV OID (2.23.140.1.1) will always be the first EV OID found in the certificatePolicies extension of the end-entity certificate, as per https://wiki.mozilla.org/CA/EV_Processing_for_CAs#First_OID

Regarding the information provided, find below the right information:

  • Friendly Name: Autoridad de Certificacion Firmaprofesional CIF A62634068
  • Cert Location: http://crl.firmaprofesional.com/caroot.crt
  • SHA-1 Fingerprint: 0BBEC2272249CB39AADB355C53E38CAE78FFB6FE
  • SHA-256 Fingerprint: 57DE0583EFD2B26E0361DA99DA9DF4648DEF7EE8441C3B728AFA9BCDE0F9B26A
  • Trust Flags: Email; Websites
  • Although the propose URL can be used for testing purposes, we also have a more generic URL for EV testing purposes:
Flags: needinfo?(clopez)
Assignee: nobody → jschanck
Status: NEW → ASSIGNED
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4b953fef5ff9 Enable EV Treatment for the renewed Autoridad de Certificacion Firmaprofesional CIF A62634068 root cert. r=keeler

https://hg.mozilla.org/mozilla-central/rev/4b953fef5ff9

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox97: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 97 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: