Per the discussion in bug 249710 I've approved adding CA certs for Comodo Group. There are three certs (for AAACertificateServices, SecureCertificateServices, and TrustedCertificateServices); see the entry for Comodo Group in <http://www.hecker.org/mozilla/ca-certificate/list/> or go directly to <http://www.comodogroup.com/repository/>. All three certs should have trust bits marked to "all".
Frank, I get error 404 on the hecker.org URL cited above.
Taking. All Frank's other bugs like this are assigned to me, and I have patches for them. Might as well take this one too.
(In reply to comment #1) > Frank, I get error 404 on the hecker.org URL cited above. Sorry, forgot to correct this earlier; the correct URL is: http://www.hecker.org/mozilla/ca-certificate-list/
Created attachment 155331 [details] [diff] [review] patch v1 This patch depends on the patch for bug 242040 being applied first. This patch is supplemental to that one.
Comment on attachment 155331 [details] [diff] [review] patch v1 Julien, please review. Remember that this patch has two prerequisite patches, neither of which is yet checked in.
This has been checked in on the trunk for NSS 3.10. So, I am marking this bug fixed. We may also choose to port this enhancement back to NSS 3.9.x.
Created attachment 158948 [details] [diff] [review] patch for NSS 3.9 branch This patch brings the NSS 3.9 branch up to parity with the trunk (NSS 3.10) with respect to the root CAs. That is, it adds to the 3.9 branch all the CA certs that were added to the trunk just a week or two ago. With this patch applied to the 3.9 branch, the main differences in nssckbi between the 3.9 branch and the trunk are a) the minor version number (4x for 3.9, 5x for the trunk) b) the absense/presence of Ian's fix for SSL-StepUp trust flags. Otherwise, the certs and trust flags are the same. I would like to check this in for NSS 3.9.3, in hopes that firefox 1.0 RTM will pick up NSS 3.9.3, and therefore support these new CAs in the 1.0 release. So, Wan-Teh or Julien, please review this patch for 3.9 with all due haste.
Comment on attachment 158948 [details] [diff] [review] patch for NSS 3.9 branch Wan-Teh please read the comments about this patch in the bug, above, and then review this patch. I'd like to see this patch get into firefox 1.0
Comment on attachment 158948 [details] [diff] [review] patch for NSS 3.9 branch Nelson, I like your changes to nssckbi.h. I need to sit down with you to review the trust flags for these new CAs. We should also find out how to get these new CAs into the next Mozilla 1.7.x release.
Comment on attachment 158948 [details] [diff] [review] patch for NSS 3.9 branch r=wtc.
Checked in on the 3.9 branch. Checking in builtins/certdata.c; new revision: 22.214.171.124; previous 1.27 Checking in builtins/certdata.txt; new revision: 126.96.36.199; previous 1.28 Checking in builtins/nssckbi.h; new revision: 188.8.131.52; previous 184.108.40.206
Verified with Firefox 1.0.2 that Comodo AAA Certificate Services, Secure Certificate Services, and Trusted Certificate Services root CA certs are in the "Builtin Object Token" with the following trust settings: This certificate can identify web sites. This certificate can identify mail users. This certificate can identify software makers.