Closed Bug 290498 Opened 19 years ago Closed 19 years ago

Add recently approved root CA certs to NSS_3_9_BRANCH

Categories

(NSS :: Libraries, enhancement, P1)

Product:
NSS
Component:
Libraries
Version:
3.9.5
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: wtc, Assigned: wtc)

Details

Attachments

(2 files, 3 obsolete files)

Proposed patch v1.1
64.69 KB, patch
Details | Diff | Splinter Review
List of new roots and their trust bits, v1.1
376 bytes, patch
nelson
: review+
Details | Diff | Splinter Review 
We need to add recently approved root CA certs
to the NSS_3_9_BRANCH for the Mozilla 1.7.x and
Aviary (Firefox/Thunderbird) 1.0.x series products.

The cutoff date for the certs that will be added
in this enhancement request is today, 2005-04-15.
Attached patch Proposed patch (obsolete) — Splinter Review 

    
    

    
  

      
      
      
      

        Attached file
          
        List of new roots and their trust bits (obsolete)
        — 
      

    


  
The patch is not human readable, so I'm asking you to
review the list of new roots and their trust bits instead.

        Attachment #180818 -
        Flags: superreview?(hecker)

        Attachment #180818 -
        Flags: review?(nelson)

    
    

    
  
Comment on attachment 180817 [details] [diff] [review]
Proposed patch

Some comments on the patch.

The changes to certdata.c (a generated file) are omitted
for brevity.

We don't need to bump the nssckbi module version because
I just bumped it earlier this week for some other root
CA change.

    
    

    
  
Comment on attachment 180817 [details] [diff] [review]
Proposed patch

I checked in this patch on the NSS_3_9_BRANCH (NSS 3.9.6,
nssckbi 1.43).

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.27.16.4; previous revision: 1.27.16.3
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v	<-- 
certdata.tx
t
new revision: 1.28.16.4; previous revision: 1.28.16.3
done

    
    

    
  
Comment on attachment 180818 [details]
List of new roots and their trust bits

>Camerfirma Chambers of Commerce Root    C,C,C
>Camerfirma Global Chambersign           C,C,C
>NetLock Notary (Class A) Root           C,C,C
>NetLock Business (Class B) Root         C,C,C
>NetLock Express (Class C) Root          C,C,C
>XRamp Global CA Root                    C,C,C
>Go Daddy Class 2 CA                     C,C,C
>Certificate "Starfield Class 2 CA       C,C,C

This last nickname seems badly formatted.
I don't think it should contain the word Certificate 
nor the unmatched quote character.

        Attachment #180818 -
        Flags: review?(nelson)

    
    

    
  

      
      
      
      

        Attached file
          
        List of new roots and their trust bits (obsolete)
        — 
      

    


  
That was an editing error.  Sorry.  It has
been corrected in this list.

        Attachment #180818 -
        Attachment is obsolete: true

        Attachment #180820 -
        Flags: superreview?(hecker)

        Attachment #180820 -
        Flags: review?(nelson)

    
  

        Attachment #180818 -
        Flags: superreview?(hecker)

    
    

    
  
Comment on attachment 180820 [details]
List of new roots and their trust bits

Hmm, looking at this list closer, I think we should
add "Root" to the nickname for Global Chambersign:

  Camerfirma Global Chambersign 	  C,C,C

Agreed?

    
    

    
  
Yes, I think all these nicknames want to have the word Root in them.
Is the name "Go Daddy" or "GoDaddy"?  
Is it two words? or one?  

    
    

    
  


  
Added "Root" to the nickname for the "Global Chambersign" root.

        Attachment #180817 -
        Attachment is obsolete: true

    
    

    
  


  

        Attachment #180820 -
        Attachment is obsolete: true

        Attachment #180849 -
        Flags: superreview?(hecker)

        Attachment #180849 -
        Flags: review?(nelson)

    
  

        Attachment #180820 -
        Flags: superreview?(hecker)

        Attachment #180820 -
        Flags: review?(nelson)

    
    

    
  
Nelson,

The "Go Daddy" name is two words.  I added "Root" to the
nickname for the "Global Chambersign" root but left the
"Go Daddy" and "Starfield" roots' nicknames alone because
many other roots' nicknames also use "CA" instead of "Root".
We are not consistent.
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → 3.9.6

    
    

    
  
Nicknames and trust bits look OK to me. sr=hecker (or whatever the convention is
-- no one ever asks me to superreview anything :-)

    
    

    
  
With this patch, will there be any discrepancies between 3.10 nicknames
and 3.9.6 nicknames?  If not, then r=nelson

In reply to comment 11, 
indeed I see NSS is quite inconsistent about nicknames.  We have
20-30 in each of these categories:
- use Root but not CA,
- use CA but not Root
- use both Root and CA
- use neither

    
    

    
  
There won't be any discrepancies between 3.10 nicknames
and 3.9.6 nicknames.

    
    

    
  
Comment on attachment 180849 [details] [diff] [review]
List of new roots and their trust bits, v1.1

Requesting Mozilla 1.7.8 and Aviary 1.0.4 approvals.

This patch adds root CA certificates that Frank Hecker
recently approved to the NSS_3_9_BRANCH and is suitable
for MOZILLA_1_7_BRANCH and AVIARY_1_0_1_20050124_BRANCH.

The patch itself is not human readable because it's binary
data.  So I asked Nelson Bolyard and Frank Hecker to
review the most important data in the patch.  They
indicated their r+ and sr+ in comment 13 and comment 12
but forgot to set the flags.

        Attachment #180849 -
        Flags: approval1.7.8?

        Attachment #180849 -
        Flags: approval-aviary1.0.4?

        Attachment #180849 -
        Flags: review?(nelson) → review+
QA Contact: bishakhabanerjee → jason.m.reid

    
  

        Attachment #180849 -
        Flags: approval1.7.8? → approval1.7.9?

    
    

    
  
Comment on attachment 180849 [details] [diff] [review]
List of new roots and their trust bits, v1.1

1.0.5 and 1.7.8 have already shipped; removing approval requests.

        Attachment #180849 -
        Flags: approval1.7.9?

        Attachment #180849 -
        Flags: approval-aviary1.0.5?

    
    

    
  
I asked for drivers' approval several times but the
drivers are only taking security fixes on the Aviary
1.0.x and Mozilla 1.7 branches.

I gave up.  Marked the bug WONTFIX.  Sorry, Frank.
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → WONTFIX

    
  

        Attachment #180849 -
        Flags: superreview?(hecker)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: