Add ipsCA root certificates to NSS

VERIFIED FIXED in 3.9.3

Status

NSS
Libraries
P2
enhancement
VERIFIED FIXED
13 years ago
13 years ago

People

(Reporter: Frank Hecker, Assigned: Nelson Bolyard (seldom reads bugmail))

Tracking

unspecified
3.9.3
All
Mac OS X

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
 
(Reporter)

Comment 1

13 years ago
Sigh. I keep hitting return in Bugzilla before I'm supposed to :-(

Per my comments in bug 232695 I'm approving inclusion of root CA certs for ipsCA
in Mozilla. For the complete list of certs see
<http://www.hecker.org/mozilla/ca-certificate-list>. To my knowledge all the
certs are true root certs.
Blocks: 232695
(Assignee)

Comment 2

13 years ago
Put on 3.10 radar screen.

Frank, are there any more of these forthcoming?
Priority: -- → P2
Target Milestone: --- → 3.10
(Reporter)

Comment 3

13 years ago
Yes, there may be at least one or two more shortly. I'll post to n.p.m.crypto
today with details.
(Assignee)

Comment 4

13 years ago
One of the 7 ipsca root CA certs claims to be a timestamping CA cert.
But NSS doesn't implement signed timestamping (or recognize it).

Also, that timestamping CA cert is marked to be valid for many uses,
including SSL server auth, SSL client auth, email, and not just for
timestamping.  

So, we we want to include that CA cert?
(Assignee)

Comment 5

13 years ago
Created attachment 155333 [details] [diff] [review]
patch v1

This patch depends on the patches to bug 242040 and bug 252132 being 
applied first.
(Assignee)

Comment 6

13 years ago
Frank, I would like someone from IPS CA to contact me by email to arrange
to test an engineering build of nssckbi with these certs in it.  I have 
not found any email addresses in the CC lists of any of the relevant bugs.
Status: NEW → ASSIGNED
(Assignee)

Comment 7

13 years ago
Comment on attachment 155333 [details] [diff] [review]
patch v1

Julien, please review.	Remember that this patch has a prerequisite patch that
has not yet been applied.
Attachment #155333 - Flags: review?(julien.pierre.bugs)

Comment 8

13 years ago
KDE
http://bugs.kde.org/show_bug.cgi?id=61626

is going to implement it as well.

Updated

13 years ago
Flags: blocking-aviary1.0?
(Assignee)

Comment 9

13 years ago
This has been checked in on the trunk for NSS 3.10.
So, I am marking this bug fixed.  We may also choose to 
port this enhancement back to NSS 3.9.x.  
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
(Assignee)

Comment 10

13 years ago
Checked in on the 3.9 branch.
Checking in builtins/certdata.c;   new revision: 1.27.16.1; previous 1.27
Checking in builtins/certdata.txt; new revision: 1.28.16.1; previous 1.28
Checking in builtins/nssckbi.h;    new revision: 1.6.16.2;  previous 1.6.16.1
Target Milestone: 3.10 → 3.9.3
(Assignee)

Comment 11

13 years ago
*** Bug 213177 has been marked as a duplicate of this bug. ***

Updated

13 years ago
Flags: blocking-aviary1.0?

Updated

13 years ago
Attachment #155333 - Flags: review?(julien.pierre.bugs)

Comment 12

13 years ago
Verified with Firefox 1.0.2 that seven IPS root CA certs
(including the timestamping CA) are in the "Builtin
Object Token" and their trust settings are:
This certificate can identify web sites.
This certificate can identify mail users.
This certificate can identify software makers.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.