Closed Bug 422921 Opened 12 years ago Closed 12 years ago

Enable VeriSign Class 3 Public Primary CA - G5 for EV

Categories

(Core :: Security: PSM, enhancement)

enhancement
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: hecker, Assigned: kaie)

References

Details

Per bug 402947 I've approved enabling the VeriSign Class 3 Public Primary Certification Authority - G5 root CA certificate for Extended Validation use. The corresponding EV policy OID is 2.16.840.1.113733.1.7.23.6.

Marking this bug as dependent on first adding the root in question to NSS (bug 422918).
Marking this bug as blocking bug 402947.
Blocks: 402947
This bug should also probably remove the old Verisign OID added for testing purposes, see bug 405906.
Blocks: 405906
Depends on: 425518
(In reply to comment #2)
> This bug should also probably remove the old Verisign OID added for testing
> purposes, see bug 405906.

Yes, although I will try to get multiple things done at the same time.
The patch to add EV approval for the G5 root is in bug 425518.

(Both bug 405906 and bug 425518 have the patch to remove the EV approval for the legacy root, that we had used for testing.)

+    // CN=VeriSign Class 3 Public Primary Certification Authority - G5,OU="(c) 2006 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US
+    "2.16.840.1.113733.1.7.23.6",
+    "VeriSign EV OID",
+    SEC_OID_UNKNOWN,
+    "4E:B6:D5:78:49:9B:1C:CF:5F:58:1E:AD:56:BE:3D:9B:67:44:A5:E5",
+    "MIHKMQswCQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNV"
+    "BAsTFlZlcmlTaWduIFRydXN0IE5ldHdvcmsxOjA4BgNVBAsTMShjKSAyMDA2IFZl"
+    "cmlTaWduLCBJbmMuIC0gRm9yIGF1dGhvcml6ZWQgdXNlIG9ubHkxRTBDBgNVBAMT"
+    "PFZlcmlTaWduIENsYXNzIDMgUHVibGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBB"
+    "dXRob3JpdHkgLSBHNQ==",
+    "GNrRniZ96LtKIVjNzGs7Sg==",
+    nsnull
+  },

Bug 422518 contains this snippet to approve the new G5 root for EV.
Please speak up if you think this snippet is incorrect.
Verisign representatives, can you please use tomorrow's nightly build and run a couple of tests? Do the sites you expect to work indeed work and give you the EV UI?

This request has been completed minutes ago with the patch for bug 425518.

Please note, in addition to enabling Verisign's new "G5" root for EV, I've removed the EV blessing for the "legacy" root, which we had added for testing purposes, only (bug 405906).

marking fixed
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Kai, we're lining up a resource to do this test. Please advise on exactly how to obtain tomorrow's nightly build. Also, why are you removing the EV blessing for the "legacy" root? We need that as well, because we do issue EV certs from that root too.
(In reply to comment #5)
> Kai, we're lining up a resource to do this test. Please advise on exactly how
> to obtain tomorrow's nightly build.

You can always get the latest nightly test version from:
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/latest-trunk/

But I'll also give you a link that is stable, independent of "current date".
The following points to builds from today, and you can pick one based on the platform you prefer.

Linux and Mac are here:
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008-04-09-04-trunk/

Windows is here:
ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008-04-09-07-trunk/


> Also, why are you removing the EV blessing
> for the "legacy" root? 

Because originally we had added it for testing purposes, only. Should Frank give us a signal that he approves your legacy root for EV, we can add it back. Thanks a lot for the explanation you wrote in bug 405906 comment 18.
We have confirmed that the FireFox 3 build at ftp://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2008-04-09-07-trunk/
EV Site favicon button turns green. Thanks.
Blocks: 431384
No longer blocks: 431384
You need to log in before you can comment on or make changes to this bug.