Closed Bug 1754896 Opened 3 years ago Closed 3 years ago

Enable EV Treatment for D-TRUST EV Root CA 1 2020 root certificate

Categories

(Core :: Security: PSM, task)

task

Tracking

()

RESOLVED FIXED
100 Branch
Tracking Status
firefox100 --- fixed

People

(Reporter: kathleen.a.wilson, Assigned: jschanck)

References

Details

Attachments

(1 file)

Per bug #1679258 the request from D-TRUST has been approved to enable the following root certificates for EV use. Please make the corresponding changes to PSM.

Friendly Name: D-TRUST EV Root CA 1 2020
SHA-1 Fingerprint: 61DB8C2159690390D87C9C128654CF9D3DF4DD07
SHA-256 Fingerprint: 08170D1AA36453901A2F959245E347DB0C8D37ABAABC56B81AA100DC958970DB
EV Policy OID: 2.23.140.1.1
Test URL: https://certdemo-ev-valid.tls.d-trust.net/

NOTE: Bug #1754890 must be completed (the cert added to NSS), before this EV-enablement may be implemented.

Depends on: 1754894
Assignee: nobody → jschanck
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5d928a211c41 Enable EV Treatment for D-TRUST EV Root CA 1 2020. r=keeler
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 100 Branch

Enrico,

Please update the EV TLS certificate for https://certdemo-ev-valid.tls.d-trust.net/ to contain website owner information.

Background:
I'm trying to test this EV-enablement in Firefox Nightly, but when I browse to https://certdemo-ev-valid.tls.d-trust.net/ no website owner information is displayed. So I view the certificate, and it says:

Website Identity
Website: certdemo-ev-valid.tls.d-trust.net
Owner: This website does not supply ownership information.

Thanks,
Kathleen

Flags: needinfo?(enrico.entschew)

Kathleen,

I acknowledge your message. We have checked the EV TLS certificate of the test website and could not find any irregularity. Could you please provide us with more information about what could be the reason for this behaviour so that we can make the necessary changes and issue a new certificate?

Thanks,
Enrico

Flags: needinfo?(enrico.entschew)

Hi Enrico,

It appears that the problem is that the server certificate needs to have the 2.23.140.1.1 OID first.
Reference: https://wiki.mozilla.org/CA/EV_Processing_for_CAs#First_OID

Please add a comment to this bug when the certificate for https://certdemo-ev-valid.tls.d-trust.net/ has been updated.

Thanks,
Kathleen

Flags: needinfo?(enrico.entschew)

Per Bug #1769150 we are considering updating the PSM in Firefox so that the EV Policy OID does not have to be first. The earliest that would happen is Firefox 103.

Flags: needinfo?(enrico.entschew)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: