See bug 171331 for the problem report in PSM. There exist databases, where older versions of NSS report some CA certificates as being trusted, while the latest NSS builds report them as being untrusted. The problem is reported to be seen by simply switching between old and new builds back and forth. Actual behaviour: Previously valid CA certs are now valid Expected behaviour: NSS should interpret trust in the cert database like it did in the past. This bug report is based on what I conclude from bug 171331. I have not been able to see the problem myself.
We should resolve this bug in NSS 3.7. If it turns out to be a regression in NSS 3.6, we should get it fixed in a 3.6.x patch release.
Torben, why do you think this bug blocks bug 173939?
I had filed this bug, because I thought it would make sense to track the PSM status and the NSS status of the issue indepently. I intended to use this bug to track whether the problem is fixed within NSS, and bug 173939 to track whether the NSS fix had arrived in PSM.
Kai, You misunderstood my question. My question was directed at Torben because he made this bug block bug 173939. The PSM bug you want this bug to track is bug 171331, not bug 173939.
You're right, Wan-Teh, sorry.
Re #2: Due to the simmilarities between bug 171331 and bug 173939. See bug 173939 comment 23 and bug 171331 comment 30 and downwards. If you feel the dendency is wrong, feel free to remove it. Note that the cause of bug 173939 probably is bug 174634 which should be fixed in NSS (but not in the trunk I belive), does this also fix this bug and bug 171331?
Torben, in answer to your comment 6, please help us and verify whether the fix from bug 174634 also fixes bug 171331. You could follow the procedure that Wan-Teh describes in bug 173939 comment 36. Please state in bug 171331 whether this procudure fixes your problem or not.
Kai, I do not see bug 171331 (I do not use mozilla for mail, and do not have any Thawte Freemail certificates). I have added a comment in bug 171331 and asked someone to do the test however.
I am now confident this has nothing to do with bug 173939, because bug 173939 has been confirmed to been fixed by the patch for bug 174634. But I do have the patch for bug 174634 in my build, and I do see bug 171331! Removing dependency.
patch has been checked into NSS tip and NSS 3.6 branch.
patch is in, bug needs to be closed now..
Set the target milestone to 3.6.1 because the patch has been checked into the NSS 3.6 branch. (The patch is in bug 171331.)