Add DigiCert Global Root G2 and G5 root CAs to mozilla_services pinset
Categories
(Core :: Security: PSM, task)
Tracking
()
People
(Reporter: jbuck, Assigned: jbuck)
References
Details
Attachments
(2 files)
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-esr102+
|
Details | Review |
|
48 bytes,
text/x-phabricator-request
|
diannaS
:
approval-mozilla-esr102+
|
Details | Review |
When renewing a certificate for crash-stats.mozilla.com we found that Digicert was issuing from the intermediate CA DigiCert Global G2 TLS RSA SHA256 2020 CA1 which is issued by the root CA DigiCert Global Root G2. Here is Digicert's announcement that they're migrating to G2 root certificate hierarchies because they'll be distrusted by Mozilla in ~2 years. This root CA is currently not trusted by the mozilla_services pinset.
Could we please add DigiCert Global Root G2 to the trusted list for this pinset? And maybe we should add a comment about removing the DigiCert Global Root CA and DigiCert High Assurance EV Root CA CA's in a year or so...
|
Assignee | |
Comment 1•2 years ago
|
||
I also see that Digicert is planning on changing the root CA again a few years from now to Digicert G5. I wonder if we should consider adding DigiCert TLS ECC P384 Root G5 and/or DigiCert TLS RSA4096 Root G5 while we're at it?
|
|
Assignee | |
Comment 2•2 years ago
|
||
Digicert is migrating users away from the G1 root CA so we need to add the new G2 and G5 root CAs to continue using Digicert certificates with many Firefox services
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 3•2 years ago
|
||
:keeler - Thank you for the review! Could you land this patch for me? I only have (dormant) level 1 access :)
|
|
Assignee | |
Updated•2 years ago
|
|
||
Comment 6•2 years ago
|
||
| bugherder | ||
|
||
Comment 7•2 years ago
|
||
Should we uplift this to ESR102 also? It grafts cleanly.
|
||
Comment 9•2 years ago
|
||
Ryan: did this get uplifted? If not, ESR folks might start running into pin problems on some servers
|
|
||
Comment 10•2 years ago
|
||
Jon, can you please request ESR approval on this?
|
|
Assignee | |
Comment 11•2 years ago
|
||
Comment on attachment 9317124 [details]
Bug 1815585 - Add DigiCert Global Root G2 and G5 CAs to mozilla_services pinset. r?keeler
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Digicert has started migrating users to the G2 root CA's by making it the default root CA when issuing or renewing a certificate. It requires an extra, optional step from ops to select the G1 root CA when issuing or renewing. ESR is the only release channel where this patch hasn't landed.
- User impact if declined: This patch has landed in the Firefox release channel, meaning that if ops did a TLS certificate renewal without the extra, optional step we could potentially block ESR releases from accessing that service while all other channels would continue to work.
- Fix Landed on Version: 111
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This patch only adds to the list of permitted root CAs in the mozilla_services pinset and is in the current Firefox release channel. The alternative to taking this patch now is waiting for the next ESR release in July 2023 (I think, right?)
|
||
Comment 12•2 years ago
|
||
Comment on attachment 9317124 [details]
Bug 1815585 - Add DigiCert Global Root G2 and G5 CAs to mozilla_services pinset. r?keeler
Approved for 102.10esr
|
|
||
Comment 13•2 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 14•2 years ago
|
||
This caused an issue in ESR102 because DigiCert G5 roots are not in esr102. Can they be removed from the pinset for ESR-102?
failure log for Linux x64 opt repo-update-hsts-hpkp-blocklist job
JavaScript error: /home/worker/scripts/genHPKPStaticPins.js, line 484: Error: ERROR: Can't find 'DigiCert TLS ECC P384 Root G5' in certNameToSKD
|
||
Comment 15•2 years ago
|
||
These roots weren't yet included in 102.
|
|
||
Updated•2 years ago
|
|
|
||
Comment 16•2 years ago
|
||
| bugherder uplift | ||
|
|
||
Updated•2 years ago
|
|
|
Assignee | |
Comment 17•2 years ago
|
||
:jcristau - thank you for fixing that! That should be fine, given that we're not expecting to use the G5 roots any time in the next few months, and ESR115 will have these roots included.
|
|
||
Updated•2 years ago
|
Description
•