1939086 - Remove the S/MIME Trust Bit from the Security Communication ECC RootCA1 root cert

Status: RESOLVED FIXED

(NSS :: CA Certificates Code, enhancement)

Comment 1

[SECOM Trust Systems - ONO Fumiaki]

1. Subject/Issuer field values in the root certificate to be changed
   Issuer: C=JP, O=SECOM Trust Systems CO.,LTD., CN=Security Communication ECC RootCA1
   Subject: C=JP, O=SECOM Trust Systems CO.,LTD., CN=Security Communication ECC RootCA1
2. SHA256 Fingerprint of the certificate to be changed
   E74FBDA55BD564C473A36B441AA799C8A68E077440E8288B9FA1E50E4BBACA11
   https://crt.sh/?q=E74FBDA55BD564C473A36B441AA799C8A68E077440E8288B9FA1E50E4BBACA11
3. Specify the change to be made
   Security Communication ECC RootCA1 is a Root CA specifically for TLS Servers CAs.
   Therefore, please disable only the Trust bit for "Secure Email."
4. Reason for requesting this change
   During the construction phase of Security Communication ECC RootCA1, we considered it as a multi-purpose Root CA.
   However, it is now a Root CA dedicated solely to TLS server certificates.
   Since we do not plan to construct any subordinate S/MIME CAs in the future, please disable the Trust bit for "Secure Email."
5. Impact that the change may have on Mozilla users
   There is no impact to Mozilla users.

Best Regards,

ONO, Fumiaki
SECOM Trust Systems Co., Ltd.

Comment 2

[Ben Wilson]

For this CA,
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR needs to be changed to:
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST
Thanks,
Ben

Comment 3

[Dennis Jackson]

Attachment: Bug 1939086 - Turn off Secure Email Trust Bit for Security Communication ECC RootCA1. r=#nss-reviewers

Comment 4

[Dennis Jackson]

https://hg.mozilla.org/projects/nss/rev/d348a62fd98df78bceaf6ce066bafad6e9f272b2