Last Comment Bug 244982 - Add ipsCA root certificates to NSS
: Add ipsCA root certificates to NSS
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: unspecified
: All Mac OS X
P2 enhancement (vote)
: 3.9.3
Assigned To: Nelson Bolyard (seldom reads bugmail)
: Bishakha Banerjee
: 213177 (view as bug list)
Depends on:
Blocks: 232695
  Show dependency treegraph
Reported: 2004-05-28 09:40 PDT by Frank Hecker
Modified: 2005-04-11 17:38 PDT (History)
1 user (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

patch v1 (180.74 KB, patch)
2004-08-05 22:48 PDT, Nelson Bolyard (seldom reads bugmail)
no flags Details | Diff | Splinter Review

Description User image Frank Hecker 2004-05-28 09:40:11 PDT
Comment 1 User image Frank Hecker 2004-05-28 09:43:37 PDT
Sigh. I keep hitting return in Bugzilla before I'm supposed to :-(

Per my comments in bug 232695 I'm approving inclusion of root CA certs for ipsCA
in Mozilla. For the complete list of certs see
<>. To my knowledge all the
certs are true root certs.
Comment 2 User image Nelson Bolyard (seldom reads bugmail) 2004-06-28 20:20:36 PDT
Put on 3.10 radar screen.

Frank, are there any more of these forthcoming?
Comment 3 User image Frank Hecker 2004-06-30 03:23:58 PDT
Yes, there may be at least one or two more shortly. I'll post to n.p.m.crypto
today with details.
Comment 4 User image Nelson Bolyard (seldom reads bugmail) 2004-07-16 16:04:34 PDT
One of the 7 ipsca root CA certs claims to be a timestamping CA cert.
But NSS doesn't implement signed timestamping (or recognize it).

Also, that timestamping CA cert is marked to be valid for many uses,
including SSL server auth, SSL client auth, email, and not just for

So, we we want to include that CA cert?
Comment 5 User image Nelson Bolyard (seldom reads bugmail) 2004-08-05 22:48:46 PDT
Created attachment 155333 [details] [diff] [review]
patch v1

This patch depends on the patches to bug 242040 and bug 252132 being 
applied first.
Comment 6 User image Nelson Bolyard (seldom reads bugmail) 2004-08-05 22:52:59 PDT
Frank, I would like someone from IPS CA to contact me by email to arrange
to test an engineering build of nssckbi with these certs in it.  I have 
not found any email addresses in the CC lists of any of the relevant bugs.
Comment 7 User image Nelson Bolyard (seldom reads bugmail) 2004-08-11 18:36:49 PDT
Comment on attachment 155333 [details] [diff] [review]
patch v1

Julien, please review.	Remember that this patch has a prerequisite patch that
has not yet been applied.
Comment 8 User image Florian Effenberger 2004-08-23 00:17:14 PDT

is going to implement it as well.
Comment 9 User image Nelson Bolyard (seldom reads bugmail) 2004-09-04 00:45:09 PDT
This has been checked in on the trunk for NSS 3.10.
So, I am marking this bug fixed.  We may also choose to 
port this enhancement back to NSS 3.9.x.  
Comment 10 User image Nelson Bolyard (seldom reads bugmail) 2004-09-15 19:47:18 PDT
Checked in on the 3.9 branch.
Checking in builtins/certdata.c;   new revision:; previous 1.27
Checking in builtins/certdata.txt; new revision:; previous 1.28
Checking in builtins/nssckbi.h;    new revision:;  previous
Comment 11 User image Nelson Bolyard (seldom reads bugmail) 2004-09-30 11:35:23 PDT
*** Bug 213177 has been marked as a duplicate of this bug. ***
Comment 12 User image Wan-Teh Chang 2005-04-11 17:38:22 PDT
Verified with Firefox 1.0.2 that seven IPS root CA certs
(including the timestamping CA) are in the "Builtin
Object Token" and their trust settings are:
This certificate can identify web sites.
This certificate can identify mail users.
This certificate can identify software makers.

Note You need to log in before you can comment on or make changes to this bug.