Sigh. I keep hitting return in Bugzilla before I'm supposed to :-(
Per my comments in bug 232695 I'm approving inclusion of root CA certs for ipsCA
in Mozilla. For the complete list of certs see
<http://www.hecker.org/mozilla/ca-certificate-list>. To my knowledge all the
certs are true root certs.
Put on 3.10 radar screen.
Frank, are there any more of these forthcoming?
Yes, there may be at least one or two more shortly. I'll post to n.p.m.crypto
today with details.
One of the 7 ipsca root CA certs claims to be a timestamping CA cert.
But NSS doesn't implement signed timestamping (or recognize it).
Also, that timestamping CA cert is marked to be valid for many uses,
including SSL server auth, SSL client auth, email, and not just for
So, we we want to include that CA cert?
Created attachment 155333 [details] [diff] [review]
This patch depends on the patches to bug 242040 and bug 252132 being
Frank, I would like someone from IPS CA to contact me by email to arrange
to test an engineering build of nssckbi with these certs in it. I have
not found any email addresses in the CC lists of any of the relevant bugs.
Comment on attachment 155333 [details] [diff] [review]
Julien, please review. Remember that this patch has a prerequisite patch that
has not yet been applied.
is going to implement it as well.
This has been checked in on the trunk for NSS 3.10.
So, I am marking this bug fixed. We may also choose to
port this enhancement back to NSS 3.9.x.
Checked in on the 3.9 branch.
Checking in builtins/certdata.c; new revision: 184.108.40.206; previous 1.27
Checking in builtins/certdata.txt; new revision: 220.127.116.11; previous 1.28
Checking in builtins/nssckbi.h; new revision: 18.104.22.168; previous 22.214.171.124
*** Bug 213177 has been marked as a duplicate of this bug. ***
Verified with Firefox 1.0.2 that seven IPS root CA certs
(including the timestamping CA) are in the "Builtin
Object Token" and their trust settings are:
This certificate can identify web sites.
This certificate can identify mail users.
This certificate can identify software makers.