Closed Bug 1905070 Opened 5 months ago Closed 2 months ago

Turn off Secure Email Trust Bit for certSIGN ROOT CA cert

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: gabriel.petcu, Assigned: bwilson)

References

Details

Steps to reproduce:

A CCADB report on Intermediate Certificates with Failed ALV Results presented a set of certSIGN CAs with missing S/MIME BR audit.
certSIGN would like to fix this problem.

Actual results:

certSIGN would like to remove the Trust Bit “Secure Email” for the following root CA:
certSIGN ROOT CA with SHA256 Fingerprint: EAA962C4FA4A6BAFEBE415196D351CCD888D4F53F3FA8AE6D7C466A94E6042BB

The reason for this change:
certSIGN ROOT CA was created on 4 July 2006 (will expire in 2031) with ALL Issuance policies. According to Mozilla roots life-cycle proposal, for this root, the Websites Trust Bit will be removed on 15 April 2026. certSIGN already prepared the end-of-life cycle of this root and its intermediate CAs – most of them expiring in June 2025 – and ceased to issue certificates with any of the Intermediate CAs from the beginning of 2024.
The Secure Email trust bit is only inheritted from the Root as a derived bit, it is not used, and certSIGN have no intention to use it, so certSIGN is asking for the removal of this bit from all ROOT Store Programs (Apple, Microsoft, Mozilla and Chrome).

Expected results:

There is no impact on Mozilla users.
There is no urgency on this change, except of the Intermediate Certificates with Failed ALV fix.

Type: defect → task
Assignee: nobody → bwilson
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Depends on: 1908009

This is now in Nightly 131.0a1 (2024-08-28)

Status: ASSIGNED → RESOLVED
Closed: 2 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.