Add Trustwave SecureTrust CA and Secure Global CA root CA certificates to NSS

RESOLVED FIXED in 3.12

Status

defect
RESOLVED FIXED
12 years ago
11 years ago

People

(Reporter: hecker, Assigned: kaie)

Tracking

unspecified
3.12
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

Reporter

Description

12 years ago
his bug requests inclusion in the NSS root certificate store of the following two root CA certificates, owned by Trustwave:

1) Friendly name: "SecureTrust CA"
   SHA-1 fingerprint:
87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11
   Trust flags: Web sites, Object signing
   URL:
https://www.securetrust.com/legal/STCA.txt

2) Friendly name: "Secure Global CA"
   SHA1 Fingerprint:
3A:44:73:5A:E5:81:90:1F:24:86:61:46:1E:3B:9C:C4:5F:F5:3A:1B
   Trust flags: Web sites, Email, Object signing
   URL:
https://www.securetrust.com/legal/SGCA.txt

The certificate(s) themselves will be attached momentarily, as downloaded from
the URLs above and verified using the stated fingerprints.

The SecureTrust CA and Secure Global CA have been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion per bug 409837 and bug 409838.

The remaining steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a
version of NSS which contains the certificate(s). This process is mostly under
the control of the release drivers for those products.
Reporter

Comment 1

12 years ago
Reporter

Updated

12 years ago
Blocks: 418910
Assignee

Updated

12 years ago
Assignee: nobody → kengert
Assignee

Comment 3

11 years ago
No patch yet, I hope to combine the work for this patch with additional CA inclusions (soon), but here is what I already produced for testing, so it saves me some work later.

addbuiltin -n "SecureTrust CA" -t C,,C < p-418907-ca1.der >> mozilla/security/nss/lib/ckfw/builtins/certdata.txt

addbuiltin -n "Secure Global CA" -t C,C,C < p-418907-ca2.der >> mozilla/security/nss/lib/ckfw/builtins/certdata.txt
Assignee

Updated

11 years ago
Depends on: 425469
Assignee

Comment 4

11 years ago
Dear Trustwave representatives, you have not yet confirmed the information listed in this bug is correct.

I went ahead and included your certificate in a test build anyway.
Please read bug 425469 comment 3 to find the binary roots module for testing and follow Frank's requests given in this tracking bug.

Adding your roots to Mozilla/NSS is blocked pending your confirmation that everything is correct.

Please do not forget to verify the trust flags are correct.

Comment 5

11 years ago
Kai -
Sorry for the delay.  All seems to be good technically, but would it be possible to group the three Trustwave CAs under Trustwave as opposed to where it is currently:
1)secureglobal CA (SGCA) and securetrust CA (STCA) under securetrust 2)xramp CA (XGCA) under xramp

Have it as:
Trustwave
--(SGCA)
--(STCA)
--(XGCA)

"XRamp Security Services, Inc.", is a successor to SecureTrust corporation, a wholly owned subsidiary of Trustwave Holdings, Inc. ("Trustwave").  Neither XRamp or Securetrust legally exist anymore.

Rgds,
Andrew
Assignee

Comment 6

11 years ago
Andrew, are you referring to the order as displayed within certificate manager?
Sorry, but that order isn't manual. It's automatically created based on the O= (if I remember correctly) or some other field.
Assignee

Comment 7

11 years ago
Andrew, in comment 5 you said:

> All seems to be good technically

I assume you're saying:
- all information in this bug is correct
- you have tested the binary
- the binary works as desired
- we can go ahead and add the roots

Please speak up if I'm wrong.

Comment 8

11 years ago
I said "All seems to be good technically" which means yes to all 4 bullets.

What I was hoping in response to 3-31 09:54 was that the three Trustwave roots would be blocked underneath a "Trustwave" heading, much as all of Verisigns Class 1-n is blocked under "Verisign" within certificate manager.  In a quick look, it appears that all are blocked by the "O=", so if it cant be done - then "oh, well" - it is no show stopper.

ag 
Assignee

Comment 9

11 years ago
This root was added to NSS for version 3.12 with a checkin noted in bug 425469.
Marking fixed.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Assignee

Updated

11 years ago
Target Milestone: --- → 3.12
You need to log in before you can comment on or make changes to this bug.