Sigh. I keep hitting return in Bugzilla before I'm supposed to :-( Per my comments in bug 232695 I'm approving inclusion of root CA certs for ipsCA in Mozilla. For the complete list of certs see <http://www.hecker.org/mozilla/ca-certificate-list>. To my knowledge all the certs are true root certs.
Put on 3.10 radar screen. Frank, are there any more of these forthcoming?
Yes, there may be at least one or two more shortly. I'll post to n.p.m.crypto today with details.
One of the 7 ipsca root CA certs claims to be a timestamping CA cert. But NSS doesn't implement signed timestamping (or recognize it). Also, that timestamping CA cert is marked to be valid for many uses, including SSL server auth, SSL client auth, email, and not just for timestamping. So, we we want to include that CA cert?
Created attachment 155333 [details] [diff] [review] patch v1 This patch depends on the patches to bug 242040 and bug 252132 being applied first.
Frank, I would like someone from IPS CA to contact me by email to arrange to test an engineering build of nssckbi with these certs in it. I have not found any email addresses in the CC lists of any of the relevant bugs.
Comment on attachment 155333 [details] [diff] [review] patch v1 Julien, please review. Remember that this patch has a prerequisite patch that has not yet been applied.
KDE http://bugs.kde.org/show_bug.cgi?id=61626 is going to implement it as well.
This has been checked in on the trunk for NSS 3.10. So, I am marking this bug fixed. We may also choose to port this enhancement back to NSS 3.9.x.
Checked in on the 3.9 branch. Checking in builtins/certdata.c; new revision: 18.104.22.168; previous 1.27 Checking in builtins/certdata.txt; new revision: 22.214.171.124; previous 1.28 Checking in builtins/nssckbi.h; new revision: 126.96.36.199; previous 188.8.131.52
*** Bug 213177 has been marked as a duplicate of this bug. ***
Verified with Firefox 1.0.2 that seven IPS root CA certs (including the timestamping CA) are in the "Builtin Object Token" and their trust settings are: This certificate can identify web sites. This certificate can identify mail users. This certificate can identify software makers.