Last Comment Bug 252132 - Add Comodo CA certs to NSS
: Add Comodo CA certs to NSS
Status: VERIFIED FIXED
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.9
: All All
: P2 enhancement (vote)
: 3.9.3
Assigned To: Nelson Bolyard (seldom reads bugmail)
: Bishakha Banerjee
Mentors:
http://www.comodogroup.com/repository/
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2004-07-19 10:13 PDT by Frank Hecker
Modified: 2005-04-12 04:29 PDT (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch v1 (51.32 KB, patch)
2004-08-05 22:24 PDT, Nelson Bolyard (seldom reads bugmail)
no flags Details | Diff | Splinter Review
patch for NSS 3.9 branch (241.90 KB, patch)
2004-09-14 23:52 PDT, Nelson Bolyard (seldom reads bugmail)
wtc: review+
Details | Diff | Splinter Review

Description Frank Hecker 2004-07-19 10:13:20 PDT
Per the discussion in bug 249710 I've approved adding CA certs for Comodo Group.
There are three certs (for AAACertificateServices, SecureCertificateServices,
and TrustedCertificateServices); see the entry for Comodo Group in
<http://www.hecker.org/mozilla/ca-certificate/list/> or go directly to
<http://www.comodogroup.com/repository/>. All three certs should have trust bits
marked to "all".
Comment 1 Nelson Bolyard (seldom reads bugmail) 2004-07-19 11:50:31 PDT
Frank, I get error 404 on the hecker.org URL cited above.
Comment 2 Nelson Bolyard (seldom reads bugmail) 2004-07-19 20:02:49 PDT
Taking.  All Frank's other bugs like this are assigned to me, and I have
patches for them.  Might as well take this one too.  
Comment 3 Frank Hecker 2004-07-28 04:37:46 PDT
(In reply to comment #1)
> Frank, I get error 404 on the hecker.org URL cited above.

Sorry, forgot to correct this earlier; the correct URL is:

  http://www.hecker.org/mozilla/ca-certificate-list/

Comment 4 Nelson Bolyard (seldom reads bugmail) 2004-08-05 22:24:08 PDT
Created attachment 155331 [details] [diff] [review]
patch v1 

This patch depends on the patch for bug 242040 being applied first. 
This patch is supplemental to that one.
Comment 5 Nelson Bolyard (seldom reads bugmail) 2004-08-11 18:38:18 PDT
Comment on attachment 155331 [details] [diff] [review]
patch v1 

Julien, please review.
Remember that this patch has two prerequisite patches, neither of which is yet
checked in.
Comment 6 Nelson Bolyard (seldom reads bugmail) 2004-09-04 00:44:25 PDT
This has been checked in on the trunk for NSS 3.10.
So, I am marking this bug fixed.  We may also choose to 
port this enhancement back to NSS 3.9.x.  
Comment 7 Nelson Bolyard (seldom reads bugmail) 2004-09-14 23:52:23 PDT
Created attachment 158948 [details] [diff] [review]
patch for NSS 3.9 branch

This patch brings the NSS 3.9 branch up to parity with the trunk (NSS 3.10)
with respect to the root CAs.  That is, it adds to the 3.9 branch all the
CA certs that were added to the trunk just a week or two ago.  

With this patch applied to the 3.9 branch, the main differences in nssckbi
between the 3.9 branch and the trunk are 
a) the minor version number (4x for 3.9, 5x for the trunk)
b) the absense/presence of Ian's fix for SSL-StepUp trust flags.  

Otherwise, the certs and trust flags are the same.  

I would like to check this in for NSS 3.9.3, in hopes that firefox 1.0 RTM
will pick up NSS 3.9.3, and therefore support these new CAs in the 1.0
release.  

So, Wan-Teh or Julien, please review this patch for 3.9 with all due haste.
Comment 8 Nelson Bolyard (seldom reads bugmail) 2004-09-14 23:55:05 PDT
Comment on attachment 158948 [details] [diff] [review]
patch for NSS 3.9 branch

Wan-Teh please read the comments about this patch in the bug, above, and then
review this patch.  I'd like to see this patch get into firefox 1.0
Comment 9 Wan-Teh Chang 2004-09-15 08:21:27 PDT
Comment on attachment 158948 [details] [diff] [review]
patch for NSS 3.9 branch

Nelson, I like your changes to nssckbi.h.

I need to sit down with you to review the
trust flags for these new CAs.

We should also find out how to get these
new CAs into the next Mozilla 1.7.x release.
Comment 10 Wan-Teh Chang 2004-09-15 18:08:57 PDT
Comment on attachment 158948 [details] [diff] [review]
patch for NSS 3.9 branch

r=wtc.
Comment 11 Nelson Bolyard (seldom reads bugmail) 2004-09-15 19:45:45 PDT
Checked in on the 3.9 branch.
Checking in builtins/certdata.c;   new revision: 1.27.16.1; previous 1.27
Checking in builtins/certdata.txt; new revision: 1.28.16.1; previous 1.28
Checking in builtins/nssckbi.h;    new revision: 1.6.16.2;  previous 1.6.16.1
Comment 12 Wan-Teh Chang 2005-04-11 18:03:49 PDT
Verified with Firefox 1.0.2 that Comodo AAA Certificate
Services, Secure Certificate Services, and Trusted Certificate
Services root CA certs are in the "Builtin Object Token"
with the following trust settings:
This certificate can identify web sites.
This certificate can identify mail users.
This certificate can identify software makers.

Note You need to log in before you can comment on or make changes to this bug.