207379 - Update built-in roots.

Status: VERIFIED FIXED

(NSS :: Libraries, defect, P2)

Description

[Stephane Saux]

Remove Valicert Class 1 Validation Authority OCSP root.
SHA1 fingerprint: 
5B:76:B1:BC:E2:8A:F0:F6:71:91:85:67:26:8D:11:69:0F:17:3F:73

Remove Baltimore:

Comment 1

[Samir Gehani]

adt: nsbeta1+/adt1

Comment 2

[Wan-Teh Chang]

Assigned the bug to Bob.  This should block Mozilla
1.4 and the Netscape client based on Mozilla 1.4.

Comment 3

[Wan-Teh Chang]

Attachment: Proposed patch for NSS 3.8 branch (changes to certdata.c omitted)

For brevity I omitted the changes to certdata.c,
which is a generated file.

Comment 4

[Wan-Teh Chang]

Attachment: Proposed patch for NSS tip (changes to certdata.c omitted)

Comment 5

[Wan-Teh Chang]

Comment on attachment 124408 [details] [diff] [review]
Proposed patch for NSS 3.8 branch (changes to certdata.c omitted)

Bob, please review this patch.

I converted the provided hexadecimal SHA1 fingerprint
to octal.  It is
133 166 261 274 342 212 360 366 161 221 205 147 046 215 021 151 017 027 077
163.
You can use this to verify that I deleted the right
root cert.

I bumped the minor version to 30 on the 3.8 branch
because 3x seems to be the minor version for the
3.8 branch according to bug 169038.  Similarly the
tip (3.9) should have the minor version 40.

Comment 6

[Robert Relyea]

Comment on attachment 124408 [details] [diff] [review]
Proposed patch for NSS 3.8 branch (changes to certdata.c omitted)

r=relyea

patch does remove valicert certificate. & trust object.

Comment 7

[Wan-Teh Chang]

Comment on attachment 124408 [details] [diff] [review]
Proposed patch for NSS 3.8 branch (changes to certdata.c omitted)

Requesting mozilla 1.4 approval.  This is a low risk patch.
It removes a certificate from NSS's built-in list of root
CA certificates.  This change is a requirement for the
Netscape client based on Mozilla 1.4.

Comment 8

[Samir Gehani]

a=adt for landing this on the 1.4 branch.

Comment 9

[Asa Dotzler [:asa]]

Comment on attachment 124408 [details] [diff] [review]
Proposed patch for NSS 3.8 branch (changes to certdata.c omitted)

a=asa (on behalf of drivers) for checkin to the 1.4 branch.

Comment 10

[Wan-Teh Chang]

Fix checked in on the NSS trunk (NSS 3.9), NSS_3_8_BRANCH (NSS 3.8.1),
NSS_CLIENT_TAG (mozilla 1.5alpha), and MOZILLA_1_4_BRANCH (mozilla 1.4
final).

No changes were made to the Baltimore roots.  Please open a separate
bug for them.

Comment 11

[Wan-Teh Chang]

Attachment: Documentation change

1. Add instructions on removing a builtin root CA cert
to the README file.

2. Add a table of the range of the module's library minor
versions for each NSS 3.x branch to nssckbi.h.

Comment 12

[Wan-Teh Chang]

Attachment: Documentation change v1.1

Comment 13

[Wan-Teh Chang]

Attachment: Proposed patch for NSS 3.7 branch (changes to certdata.c omitted)

Bumped the module's minor version to 21 (from 20).
Changed NSS version to 3.7.6 (from 3.7.5).

Bob, could you review this patch?  Thanks.

Comment 14

[Wan-Teh Chang]

Patch checked into NSS_3_7_BRANCH for NSS 3.7.6.

Comment 15

[Bishakha Banerjee]

verified that fix made it into the said branches

Comment 16

[Paul Wyskoczka]

marking verified1.4