Closed Bug 290498 Opened 21 years ago Closed 20 years ago

Add recently approved root CA certs to NSS_3_9_BRANCH

Categories

(NSS :: Libraries, enhancement, P1)

Product:
NSS
Component:
Libraries
Version:
3.9.5
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: wtc, Assigned: wtc)

Details

Attachments

(2 files, 3 obsolete files)

Proposed patch v1.1
64.69 KB, patch
Details | Diff | Splinter Review
List of new roots and their trust bits, v1.1
376 bytes, patch
nelson
: review+
Details | Diff | Splinter Review
We need to add recently approved root CA certs to the NSS_3_9_BRANCH for the Mozilla 1.7.x and Aviary (Firefox/Thunderbird) 1.0.x series products. The cutoff date for the certs that will be added in this enhancement request is today, 2005-04-15.
Attached patch Proposed patch (obsolete) — Splinter Review
Attached file List of new roots and their trust bits (obsolete) —
The patch is not human readable, so I'm asking you to review the list of new roots and their trust bits instead.
Attachment #180818 - Flags: superreview?(hecker)
Attachment #180818 - Flags: review?(nelson)
Comment on attachment 180817 [details] [diff] [review] Proposed patch Some comments on the patch. The changes to certdata.c (a generated file) are omitted for brevity. We don't need to bump the nssckbi module version because I just bumped it earlier this week for some other root CA change.
Comment on attachment 180817 [details] [diff] [review] Proposed patch I checked in this patch on the NSS_3_9_BRANCH (NSS 3.9.6, nssckbi 1.43). Checking in certdata.c; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 1.27.16.4; previous revision: 1.27.16.3 done Checking in certdata.txt; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.tx t new revision: 1.28.16.4; previous revision: 1.28.16.3 done
Comment on attachment 180818 [details] List of new roots and their trust bits >Camerfirma Chambers of Commerce Root C,C,C >Camerfirma Global Chambersign C,C,C >NetLock Notary (Class A) Root C,C,C >NetLock Business (Class B) Root C,C,C >NetLock Express (Class C) Root C,C,C >XRamp Global CA Root C,C,C >Go Daddy Class 2 CA C,C,C >Certificate "Starfield Class 2 CA C,C,C This last nickname seems badly formatted. I don't think it should contain the word Certificate nor the unmatched quote character.
Attachment #180818 - Flags: review?(nelson)
Attached file List of new roots and their trust bits (obsolete) —
That was an editing error. Sorry. It has been corrected in this list.
Attachment #180818 - Attachment is obsolete: true
Attachment #180820 - Flags: superreview?(hecker)
Attachment #180820 - Flags: review?(nelson)
Attachment #180818 - Flags: superreview?(hecker)
Comment on attachment 180820 [details] List of new roots and their trust bits Hmm, looking at this list closer, I think we should add "Root" to the nickname for Global Chambersign: Camerfirma Global Chambersign C,C,C Agreed?
Yes, I think all these nicknames want to have the word Root in them. Is the name "Go Daddy" or "GoDaddy"? Is it two words? or one?
Added "Root" to the nickname for the "Global Chambersign" root.
Attachment #180817 - Attachment is obsolete: true
Attachment #180820 - Attachment is obsolete: true
Attachment #180849 - Flags: superreview?(hecker)
Attachment #180849 - Flags: review?(nelson)
Attachment #180820 - Flags: superreview?(hecker)
Attachment #180820 - Flags: review?(nelson)
Nelson, The "Go Daddy" name is two words. I added "Root" to the nickname for the "Global Chambersign" root but left the "Go Daddy" and "Starfield" roots' nicknames alone because many other roots' nicknames also use "CA" instead of "Root". We are not consistent.
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → 3.9.6
Nicknames and trust bits look OK to me. sr=hecker (or whatever the convention is -- no one ever asks me to superreview anything :-)
With this patch, will there be any discrepancies between 3.10 nicknames and 3.9.6 nicknames? If not, then r=nelson In reply to comment 11, indeed I see NSS is quite inconsistent about nicknames. We have 20-30 in each of these categories: - use Root but not CA, - use CA but not Root - use both Root and CA - use neither
There won't be any discrepancies between 3.10 nicknames and 3.9.6 nicknames.
Comment on attachment 180849 [details] [diff] [review] List of new roots and their trust bits, v1.1 Requesting Mozilla 1.7.8 and Aviary 1.0.4 approvals. This patch adds root CA certificates that Frank Hecker recently approved to the NSS_3_9_BRANCH and is suitable for MOZILLA_1_7_BRANCH and AVIARY_1_0_1_20050124_BRANCH. The patch itself is not human readable because it's binary data. So I asked Nelson Bolyard and Frank Hecker to review the most important data in the patch. They indicated their r+ and sr+ in comment 13 and comment 12 but forgot to set the flags.
Attachment #180849 - Flags: approval1.7.8?
Attachment #180849 - Flags: approval-aviary1.0.4?
Attachment #180849 - Flags: review?(nelson) → review+
QA Contact: bishakhabanerjee → jason.m.reid
Attachment #180849 - Flags: approval1.7.8? → approval1.7.9?
Comment on attachment 180849 [details] [diff] [review] List of new roots and their trust bits, v1.1 1.0.5 and 1.7.8 have already shipped; removing approval requests.
Attachment #180849 - Flags: approval1.7.9?
Attachment #180849 - Flags: approval-aviary1.0.5?
I asked for drivers' approval several times but the drivers are only taking security fixes on the Aviary 1.0.x and Mozilla 1.7 branches. I gave up. Marked the bug WONTFIX. Sorry, Frank.
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → WONTFIX
Attachment #180849 - Flags: superreview?(hecker)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: