Closed
Bug 446409
Opened 16 years ago
Closed 16 years ago
Enable (refreshed) "GlobalSign Root CA" and "GlobalSign Root CA - R2" for EV
Categories
(Core :: Security: PSM, enhancement)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
People
(Reporter: hecker, Assigned: KaiE)
References
Details
Per bug 406796 I have approved the request from GlobalSign to enable its refreshed GlobalSign Root CA certificate and its existing GlobalSign Root CA - R2 certificate for EV use. The relevant information is as follows: Name: GlobalSign Root CA SHA-1 fingerprint: B1 BC 96 8B D4 F4 9D 62 2A A8 9A 81 F2 15 01 52 A4 1D 82 9C EV policy OID: 1.3.6.1.4.1.4146.1.1 Name: GlobalSign Root CA - R2 SHA-1 fingerprint: 75:E0:AB:B6:13:85:12:27:1C:04:F8:5F:DD:DE:38:E4:B7:24:2E:FE EV policy OID: 1.3.6.1.4.1.4146.1.1 Steve, can you please do a final confirmation that these are the correct roots and the correct EV policy OIDs?
|
Reporter | |
Updated•16 years ago
|
|
||
Comment 1•16 years ago
|
||
Hi Frank. Sorry I missed that you wanted final confirmation. I've checked and these are all fine. Steve
|
Assignee | |
Updated•16 years ago
|
Summary: Enable (refreshed) GlobalSign Root CA and GlobalSign Root CA - R2 for EV → Enable (refreshed) "GlobalSign Root CA" and "GlobalSign Root CA - R2" for EV
|
|
Assignee | |
Comment 2•16 years ago
|
||
Can you please provide an URL to a live Web Site that uses an EV certificate issued by this root?
|
|
Assignee | |
Comment 3•16 years ago
|
||
Clarification: Please provide one example URL for each of the two requested roots.
|
|
Assignee | |
Comment 4•16 years ago
|
||
No feedback, no inclusion.
|
|
||
Comment 5•16 years ago
|
||
Please review both https://ev.globalsign.com/ and htps://www.globalsign.com. Thanks, Steve
|
|
Assignee | |
Comment 6•16 years ago
|
||
I am able to see the green identity UI for both sites given in comment 5. However, I get a chain to the same root for both sites, so we can't be 100% sure that the second root works fine, too. (You could provide a test URL that chains to the second root, exclusively, without hitting any cross certs.)
|
|
||
Comment 7•16 years ago
|
||
Hi Kai, We do not yet issue directly from the 2021 based root so it's not possible to provide a 2021 based cert for a direct 'live' test as such. We used to have the ev.globalsign.com set up to test the 2021 root by not providing the cross cert from that webserver to the 2014, but as 2014 has been supersceeded by 2028 it's possible that fox determines this is a newer root and if it has the cross cert in cache then it may well use the cross cert to chain down to the 2028? It seems all the browsers handle these differently. If there is a way to kill the cross cert and 2028 root from the fox cache/store before looking at ev.globalsign.com it should then work? IE 7.0 highlights how both chains 4 cert inc cross from www.globalsign.com and 3 cert without cross from ev.globalsign.com works. Thanks
|
|
Assignee | |
Comment 8•16 years ago
|
||
Thanks Steve, that was a good idea. In a test build I completely removed "GlobalSign Root CA", and also used a fresh profile (which does not have any intermediates cached) and then your ev.globalsign.com still works and shows EV, with a chain to the R2 root.
|
|
Assignee | |
Comment 9•16 years ago
|
||
This was fixed in bug 449892
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•