Closed
Bug 418907
Opened 17 years ago
Closed 17 years ago
Add Trustwave SecureTrust CA and Secure Global CA root CA certificates to NSS
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.12
People
(Reporter: hecker, Assigned: KaiE)
References
Details
Attachments
(3 files)
1.32 KB,
application/x-x509-ca-cert
|
Details | |
1.32 KB,
application/x-x509-ca-cert
|
Details | |
11.90 KB,
patch
|
Details | Diff | Splinter Review |
his bug requests inclusion in the NSS root certificate store of the following two root CA certificates, owned by Trustwave:
1) Friendly name: "SecureTrust CA"
SHA-1 fingerprint:
87:82:C6:C3:04:35:3B:CF:D2:96:92:D2:59:3E:7D:44:D9:34:FF:11
Trust flags: Web sites, Object signing
URL:
https://www.securetrust.com/legal/STCA.txt
2) Friendly name: "Secure Global CA"
SHA1 Fingerprint:
3A:44:73:5A:E5:81:90:1F:24:86:61:46:1E:3B:9C:C4:5F:F5:3A:1B
Trust flags: Web sites, Email, Object signing
URL:
https://www.securetrust.com/legal/SGCA.txt
The certificate(s) themselves will be attached momentarily, as downloaded from
the URLs above and verified using the stated fingerprints.
The SecureTrust CA and Secure Global CA have been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion per bug 409837 and bug 409838.
The remaining steps are as follows:
1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below.
2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.
3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.
4) At some time after that, various Mozilla products will move to using a
version of NSS which contains the certificate(s). This process is mostly under
the control of the release drivers for those products.
Reporter | ||
Comment 1•17 years ago
|
||
Reporter | ||
Comment 2•17 years ago
|
||
Assignee | ||
Updated•17 years ago
|
Assignee: nobody → kengert
Assignee | ||
Comment 3•17 years ago
|
||
No patch yet, I hope to combine the work for this patch with additional CA inclusions (soon), but here is what I already produced for testing, so it saves me some work later.
addbuiltin -n "SecureTrust CA" -t C,,C < p-418907-ca1.der >> mozilla/security/nss/lib/ckfw/builtins/certdata.txt
addbuiltin -n "Secure Global CA" -t C,C,C < p-418907-ca2.der >> mozilla/security/nss/lib/ckfw/builtins/certdata.txt
Assignee | ||
Comment 4•17 years ago
|
||
Dear Trustwave representatives, you have not yet confirmed the information listed in this bug is correct.
I went ahead and included your certificate in a test build anyway.
Please read bug 425469 comment 3 to find the binary roots module for testing and follow Frank's requests given in this tracking bug.
Adding your roots to Mozilla/NSS is blocked pending your confirmation that everything is correct.
Please do not forget to verify the trust flags are correct.
Comment 5•17 years ago
|
||
Kai -
Sorry for the delay. All seems to be good technically, but would it be possible to group the three Trustwave CAs under Trustwave as opposed to where it is currently:
1)secureglobal CA (SGCA) and securetrust CA (STCA) under securetrust 2)xramp CA (XGCA) under xramp
Have it as:
Trustwave
--(SGCA)
--(STCA)
--(XGCA)
"XRamp Security Services, Inc.", is a successor to SecureTrust corporation, a wholly owned subsidiary of Trustwave Holdings, Inc. ("Trustwave"). Neither XRamp or Securetrust legally exist anymore.
Rgds,
Andrew
Assignee | ||
Comment 6•17 years ago
|
||
Andrew, are you referring to the order as displayed within certificate manager?
Sorry, but that order isn't manual. It's automatically created based on the O= (if I remember correctly) or some other field.
Assignee | ||
Comment 7•17 years ago
|
||
Andrew, in comment 5 you said:
> All seems to be good technically
I assume you're saying:
- all information in this bug is correct
- you have tested the binary
- the binary works as desired
- we can go ahead and add the roots
Please speak up if I'm wrong.
Comment 8•17 years ago
|
||
I said "All seems to be good technically" which means yes to all 4 bullets.
What I was hoping in response to 3-31 09:54 was that the three Trustwave roots would be blocked underneath a "Trustwave" heading, much as all of Verisigns Class 1-n is blocked under "Verisign" within certificate manager. In a quick look, it appears that all are blocked by the "O=", so if it cant be done - then "oh, well" - it is no show stopper.
ag
Assignee | ||
Comment 9•17 years ago
|
||
This root was added to NSS for version 3.12 with a checkin noted in bug 425469.
Marking fixed.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•16 years ago
|
Target Milestone: --- → 3.12
You need to log in
before you can comment on or make changes to this bug.
Description
•