Add TDC root CA certs to NSS

VERIFIED FIXED in 3.9.5

Status

NSS
Libraries
P2
enhancement
VERIFIED FIXED
13 years ago
11 years ago

People

(Reporter: Frank Hecker, Assigned: Nelson Bolyard (seldom reads bugmail))

Tracking

unspecified
3.9.5

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

13 years ago
Per my comments in bug 204839 I've formally approved added the TDC root CA certs
to Mozilla. Please see bug 204839 for the actual certs and verified SHA-1
fingerprints; both should be marked as trusted for all purposes.

Comment 1

13 years ago
this is very cool for the danish people.

Comment 2

13 years ago
If this is to make TB 1.0, the certificates need to be checked directly into the
AVIARY_1_0_20040515_BRANCH: http://lxr.mozilla.org/aviarybranch/source/client.mk#60

The same applies to Mozilla 1.7.x, which is built from the MOZILLA_1_7_BRANCH.
Flags: blocking1.7.x?
Flags: blocking-aviary1.0?

Comment 3

13 years ago
(In reply to comment #2)

Who will execute those operations?

Comment 4

13 years ago
The assignee, I guess. He has to get approval-aviary and/or approval1.7.x if he
wants to check into the branches. He has to hurry up though, Thunderbird is
(was) scheduled for mid November, Mozilla 1.7.5 for mid December.
(Reporter)

Comment 5

13 years ago
I've exchanged email with the relevant NSS and TB developers, and IMO this
change is *not* going to be made in time for TB 1.0. It's just too close to the
TB 1.0 release date, there is a fair amount of work that would need to be done
(TDC is not the only CA that would need to have root certificates added), and
people are less available because of the long holiday weekend in the U.S.

TDC root certificates will definitely be included in TB 1.1, FF 1.1, and Mozilla
1.8. I don't know if it will be possible to include them in any earlier releases.
(Assignee)

Comment 6

13 years ago
The NSS team maintains the NSS trunk and the NSS_3_*_BRANCH branches.
We do not maintain aviary or other mozilla browser branches.
The maintainers of those other branches are free to take patches 
the NSS trunk or NSS branches.  

I will create patches for the NSS trunk (from which the NSS 3.10 
release will come, some day) and the NSS_3_9_BRANCH, exactly as I 
did for the last batch of CA certs that Frank approved.  
Priority: -- → P2
Target Milestone: --- → 3.10
(Assignee)

Comment 7

13 years ago
The patches that add these requested ROOT CA certs to the NSS 3.9 branch
and to the NSS trunk have been attached to bug 271585.  Please see 
bug 271585 for those attachments.  When those attachments have been 
reviewed and checked in, this bug will be marked resolved/fixed.
Status: NEW → ASSIGNED
(Assignee)

Comment 8

13 years ago
Here are the "nicknames" I created for the new root CAs being added:

+CKA_LABEL UTF8 "QuoVadis Root CA"
+CKA_LABEL UTF8 "Security Communication Root CA"
+CKA_LABEL UTF8 "Sonera Class 1 Root CA"
+CKA_LABEL UTF8 "Sonera Class 2 Root CA"
+CKA_LABEL UTF8 "Staat Der Nederlannden Root CA"
+CKA_LABEL UTF8 "TDC Internet Root CA"
+CKA_LABEL UTF8 "TDC OCES Root CA"
+CKA_LABEL UTF8 "UTN DataCorp SGC Root CA"
+CKA_LABEL UTF8 "UTN UserFirst EMail Root CA"
+CKA_LABEL UTF8 "UTN UserFirst Hardware Root CA"
+CKA_LABEL UTF8 "UTN UserFirst Object Root CA"

Frank, please review these nicknames and tell me if any need to be changed.

Note that I'm trying to avoid the use of non-ASCII characters, to avoid 
some bugs where ISO-Latin-1 characters get interpreted as UTF8 with bad 
results.
(Reporter)

Comment 9

13 years ago
Please change the nicknames to the following:

+CKA_LABEL UTF8 "QuoVadis Root CA"
+CKA_LABEL UTF8 "Security Communication Root CA"
+CKA_LABEL UTF8 "Sonera Class 1 Root CA"
+CKA_LABEL UTF8 "Sonera Class 2 Root CA"
+CKA_LABEL UTF8 "Staat der Nederlanden Root CA"
+CKA_LABEL UTF8 "TDC Internet Root CA"
+CKA_LABEL UTF8 "TDC OCES Root CA"
+CKA_LABEL UTF8 "UTN DATACorp SGC Root CA"
+CKA_LABEL UTF8 "UTN USERFirst Client Authentication and Email Root CA"
+CKA_LABEL UTF8 "UTN USERFirst Hardware Root CA"
+CKA_LABEL UTF8 "UTN USERFirst Object Root CA"

to reflect the following changes:

1. Change to "Staat der Nederlanden Root CA" to correct typo (one 'n', not two)
and reflect proper capitalization of "der".

2. Change to "UTN DATACorp SGC Root CA" to reflect capitalization in cert itself.

3. Change "UserFirst" to "USERFirst" to reflect capitalization in the certs
themselves.

4. Change to "UTN USERFirst Client Authentication and Email Root CA" to reflect
its full name, unless this name would be too long for NSS and/or the PSM display
area. Otherwise change to "UTN USERFirst Email Root CA" to reflect proper
capitalization of "Email".
(Assignee)

Comment 10

13 years ago
OK, thanks Frank.  As you surmised,
"UTN USERFirst Client Authentication and Email Root CA" is too 
long for PSM's display.  So, I'll use  "UTN USERFirst Email Root CA" 
(Assignee)

Comment 11

13 years ago
The root CA cert(s) indicated above have been added to the trunk and the 
NSS 3.9 branch.  See bug 271585 for more details and the patches.

For testing purposes, for a short time (weeks), a copy of a debug build
of nssckbi.dll with these certs added, built from the NSS 3.9 branch,
may be obtained for testing at http://nelson.bolyard.com/mozilla/nssckbi.dll

I invite the representatives of the various CAs to download it and test it.
Please add any comments (reflecting success or failure) to this bug.
It passes my te
Status: ASSIGNED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → FIXED
Target Milestone: 3.10 → 3.9.5

Updated

13 years ago
Flags: blocking1.7.5?
Flags: blocking-aviary1.0?

Comment 12

13 years ago
Verified with Firefox 1.0.2 that these two root CA
certs are in the "Builtin Object Token" with nicknames
"TDC OCES Root CA" and "TDC Internet Root CA" and
their trust settings are:
This certificate can identify web sites.
This certificate can identify mail users.
This certificate can identify software makers.
Status: RESOLVED → VERIFIED
(Reporter)

Updated

13 years ago
No longer blocks: 204839
You need to log in before you can comment on or make changes to this bug.