Enable additional EV roots for FF 3.0.2

VERIFIED FIXED

Status

()

Core
Security: PSM
VERIFIED FIXED
10 years ago
10 years ago

People

(Reporter: kaie, Assigned: kaie)

Tracking

({verified1.9.0.2})

1.9.0 Branch
verified1.9.0.2
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Assignee)

Description

10 years ago
I'd like to fix bug 446409 and bug 449394 with a single patch.
(Assignee)

Comment 1

10 years ago
Created attachment 333030 [details] [diff] [review]
Patch v1


Not yet tested, because still waiting for test sites.
Therefore, I'll wait until we have test sites and a positive test result, or a statement that no testing is desired.
(Assignee)

Updated

10 years ago
Depends on: 449883
(Assignee)

Updated

10 years ago
Depends on: 449899
(Assignee)

Comment 2

10 years ago
Comment on attachment 333030 [details] [diff] [review]
Patch v1

I'm asking for review on this patch, which enables 3 new roots for EV.

I have been able to test both GlobalSign roots.

I was unable to test the WellsSecure root yet, because of a technical problem. We don't have confirmation yet whether it's a problem on the CA's OCSP server (which is my understanding) or in NSS.

I think it would make sense to skip enabling the WellsSecure root until we have a positive test.

If you agree, I'd like to propose:

- please r+ the patch if you think it is technically correct

- should we be unable to test WellsSecure before the code freeze, I'll NOT check in portion that enables it, but limit my check in to the 2 GlobalSign roots.
Attachment #333030 - Flags: review?(rrelyea)

Comment 3

10 years ago
Comment on attachment 333030 [details] [diff] [review]
Patch v1

It would be good if a representative from wells is CC'ed on the bug.

If the problem is a missing intermediate on the OCSP responder, loading that intermediate into your database (without setting any trust) should be sufficient to allow the test to complete.

bob
Attachment #333030 - Flags: review?(rrelyea) → review+
(Assignee)

Comment 4

10 years ago
(In reply to comment #3)
> It would be good if a representative from wells is CC'ed on the bug.

WellsSecure is already aware of the problem, I've talked to them by email and via bug 449394.


> If the problem is a missing intermediate on the OCSP responder, loading that
> intermediate into your database (without setting any trust) should be
> sufficient to allow the test to complete.

FYI, see bug 449394. There are additional problems.

(Assignee)

Comment 5

10 years ago
I want to make use of the option I had announced in comment 2.

I'll attach a patch that enables the GlobalSign roots, only.
We should do WellsSecure at a later time, after the issue has been resolved.
(Assignee)

Comment 6

10 years ago
Created attachment 334487 [details] [diff] [review]
Patch v1 with WellsSecure removed

This is the patch with GlobalSign, only. As Bob were aware of the possibility to remove Wells, his r+ still applies. Carrying forward his review.
Attachment #334487 - Flags: review+
(Assignee)

Comment 7

10 years ago
Comment on attachment 334487 [details] [diff] [review]
Patch v1 with WellsSecure removed

Requesting approval for Firefox 3.0.x
Attachment #334487 - Flags: approval1.9.0.2?
(Assignee)

Updated

10 years ago
Flags: blocking1.9.0.2?

Comment 8

10 years ago
re comment 6. I verify I'm OK with dropping Wells if their responder issue is not fixed.

bob
Comment on attachment 334487 [details] [diff] [review]
Patch v1 with WellsSecure removed

Approved for 1.9.0.2. Please land in CVS. a=ss
Attachment #334487 - Flags: approval1.9.0.2? → approval1.9.0.2+
(Assignee)

Comment 10

10 years ago
marking fixed on trunk and 1.9.0.2

removing dependency for wells
No longer blocks: 449394
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Flags: blocking1.9.0.2?
Keywords: fixed1.9.0.2
Resolution: --- → FIXED

Comment 11

10 years ago
We need to get this verified for 1.9.0.2. Kai, can you confirm with the build 4 of 1.9.0.2?
(Assignee)

Comment 12

10 years ago
(In reply to comment #11)
> We need to get this verified for 1.9.0.2. Kai, can you confirm with the build 4
> of 1.9.0.2?

You could verify yourself if you want.
Go to https://ev.globalsign.com/

If you see the green identity UI, it's verified.

(no such UI with earlier FF versions for globalsign)

Comment 13

10 years ago
Verified with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.2) Gecko/2008090212 Firefox/3.0.2.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.0.2 → verified1.9.0.2
You need to log in before you can comment on or make changes to this bug.