The default bug view has changed. See this FAQ.

Update built-in roots.

VERIFIED FIXED in 3.8.1

Status

NSS
Libraries
P2
normal
VERIFIED FIXED
14 years ago
14 years ago

People

(Reporter: Stephane Saux, Assigned: Robert Relyea)

Tracking

unspecified
3.8.1
x86
Windows XP

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [adt1][ETA: can land upon drivers' approval][3.7.6])

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

14 years ago
Remove Valicert Class 1 Validation Authority OCSP root.
SHA1 fingerprint: 
5B:76:B1:BC:E2:8A:F0:F6:71:91:85:67:26:8D:11:69:0F:17:3F:73

Remove Baltimore:

Comment 1

14 years ago
adt: nsbeta1+/adt1
Keywords: nsbeta1 → nsbeta1+
Whiteboard: [adt1]

Comment 2

14 years ago
Assigned the bug to Bob.  This should block Mozilla
1.4 and the Netscape client based on Mozilla 1.4.
Assignee: wtc → relyea
Flags: blocking1.4?
Priority: -- → P2
Target Milestone: --- → 3.8.1

Comment 3

14 years ago
Created attachment 124408 [details] [diff] [review]
Proposed patch for NSS 3.8 branch (changes to certdata.c omitted)

For brevity I omitted the changes to certdata.c,
which is a generated file.

Comment 4

14 years ago
Created attachment 124409 [details] [diff] [review]
Proposed patch for NSS tip (changes to certdata.c omitted)

Comment 5

14 years ago
Comment on attachment 124408 [details] [diff] [review]
Proposed patch for NSS 3.8 branch (changes to certdata.c omitted)

Bob, please review this patch.

I converted the provided hexadecimal SHA1 fingerprint
to octal.  It is
133 166 261 274 342 212 360 366 161 221 205 147 046 215 021 151 017 027 077
163.
You can use this to verify that I deleted the right
root cert.

I bumped the minor version to 30 on the 3.8 branch
because 3x seems to be the minor version for the
3.8 branch according to bug 169038.  Similarly the
tip (3.9) should have the minor version 40.
Attachment #124408 - Flags: review?(relyea)
(Assignee)

Comment 6

14 years ago
Comment on attachment 124408 [details] [diff] [review]
Proposed patch for NSS 3.8 branch (changes to certdata.c omitted)

r=relyea

patch does remove valicert certificate. & trust object.
Attachment #124408 - Flags: review?(relyea) → review+

Comment 7

14 years ago
Comment on attachment 124408 [details] [diff] [review]
Proposed patch for NSS 3.8 branch (changes to certdata.c omitted)

Requesting mozilla 1.4 approval.  This is a low risk patch.
It removes a certificate from NSS's built-in list of root
CA certificates.  This change is a requirement for the
Netscape client based on Mozilla 1.4.
Attachment #124408 - Flags: approval1.4?

Comment 8

14 years ago
a=adt for landing this on the 1.4 branch.
Whiteboard: [adt1] → [adt1][ETA: can land upon drivers' approval]

Comment 9

14 years ago
Comment on attachment 124408 [details] [diff] [review]
Proposed patch for NSS 3.8 branch (changes to certdata.c omitted)

a=asa (on behalf of drivers) for checkin to the 1.4 branch.
Attachment #124408 - Flags: approval1.4? → approval1.4+

Comment 10

14 years ago
Fix checked in on the NSS trunk (NSS 3.9), NSS_3_8_BRANCH (NSS 3.8.1),
NSS_CLIENT_TAG (mozilla 1.5alpha), and MOZILLA_1_4_BRANCH (mozilla 1.4
final).

No changes were made to the Baltimore roots.  Please open a separate
bug for them.
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Keywords: fixed1.4
Resolution: --- → FIXED

Comment 11

14 years ago
Created attachment 124761 [details] [diff] [review]
Documentation change

1. Add instructions on removing a builtin root CA cert
to the README file.

2. Add a table of the range of the module's library minor
versions for each NSS 3.x branch to nssckbi.h.

Comment 12

14 years ago
Created attachment 124768 [details] [diff] [review]
Documentation change v1.1
Attachment #124761 - Attachment is obsolete: true

Updated

14 years ago
Attachment #124768 - Flags: review?(relyea)

Comment 13

14 years ago
Created attachment 124925 [details] [diff] [review]
Proposed patch for NSS 3.7 branch (changes to certdata.c omitted)

Bumped the module's minor version to 21 (from 20).
Changed NSS version to 3.7.6 (from 3.7.5).

Bob, could you review this patch?  Thanks.

Comment 14

14 years ago
Patch checked into NSS_3_7_BRANCH for NSS 3.7.6.
Whiteboard: [adt1][ETA: can land upon drivers' approval] → [adt1][ETA: can land upon drivers' approval][3.7.6]

Comment 15

14 years ago
verified that fix made it into the said branches
Status: RESOLVED → VERIFIED

Comment 16

14 years ago
marking verified1.4
Keywords: fixed1.4 → verified1.4

Updated

14 years ago
Flags: blocking1.4?
(Assignee)

Updated

14 years ago
Attachment #124768 - Flags: review?(rrelyea0264) → review+
You need to log in before you can comment on or make changes to this bug.