Add COMODO ECC Certification Authority certificate to NSS

RESOLVED FIXED in 3.12.2

Status

NSS
Libraries
--
enhancement
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: Frank Hecker, Assigned: kaie)

Tracking

unspecified
3.12.2

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

9 years ago
This bug requests inclusion in the NSS root certificate store of the following certificate, owned by Comodo:

Friendly name: "Comodo ECC Certification Authority"
Certificate location:
http://crt.comodoca.com/COMODOECCCertificationAuthority.crt
SHA1 Fingerprint:
9F:74:4E:9F:2B:4D:BA:EC:0F:31:2C:50:B6:56:3B:8E:2D:93:C3:11
Trust flags: all

This CA has been assessed in accordance with the Mozilla project guidelines, and the certificate(s) approved for inclusion in bug 421946.

The next steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate(s). This process is mostly under the control of the release drivers for those products.
(Reporter)

Updated

9 years ago
Blocks: 450429

Comment 1

9 years ago
Hi. The data in this bug is all correct, except for one minor thing...

Please change "Comodo" to "COMODO" to make the friendly name "COMODO ECC Certification Authority".  This is the exact value of the Common Name in the certificate.

Thanks.

Comment 2

9 years ago
Kai, do you think you'll be able to get this Root Certificate added in time for the Firefox 3.0.2 code freeze this Friday (15th) ?
(Assignee)

Comment 3

9 years ago
(In reply to comment #2)
> Kai, do you think you'll be able to get this Root Certificate added in time for
> the Firefox 3.0.2 code freeze this Friday (15th) ?

No, sorry, no way. The time is too short for doing the binary test build.

Comment 4

9 years ago
Kai, it's been 6 weeks.  Is there a reason for the hold up?

Frank told me a while ago that we could reasonably expect this Root to be targeted for Firefox 3.0.3.

Thanks.
(Assignee)

Comment 5

9 years ago
I must try to minimize work, and adding several CAs in a single step saves a lot of repetitive work.

I'm waiting for a GO signal that no additional CAs are desired for the next round of CA additions. I have sent email to Frank, asking him about the plans for this round.

Comment 6

9 years ago
Kai, any news?  Have you received "a GO signal" from Frank yet?

Also, I've just noticed a couple of errors for this Root's entry on:
http://www.mozilla.org/projects/security/certs/pending/#Comodo

"Modulus (key length)	2048" should in fact be...
"Modulus (key length)	SECG elliptic curve secp384r1 (aka NIST P-384)"

"Valid From	2000-03-06" should in fact be...
"Valid From	2008-03-06"

Thanks.
(Assignee)

Comment 7

9 years ago
Rob, I've now coordinated with Frank, and we decided that your root will be the only new root for the next round. I've also learned that the code freeze for FF 3.0.4 will be Oct 24, so we'll have to work quickly. I'll try to produce a test binary roots module today, would be great if you could prepare to get it tested soon. More updates from me today.
(Assignee)

Comment 8

9 years ago
Created attachment 343488 [details] [diff] [review]
Patch v1
(Assignee)

Comment 9

9 years ago
Change to certdata.txt was produced using:

addbuiltin -n "COMODO ECC Certification Authority" -t C,C,C < COMODOECCCertificationAuthority.crt >> mozilla/security/nss/lib/ckfw/builtins/certdata.txt
(Assignee)

Comment 10

9 years ago
I prepared a Firefox TEST build that should contain the new root as intended.

Please try one of the builds from this directory:
https://build.mozilla.org/tryserver-builds/2008-10-16_18:54-kaie@kuix.de-comodo450429/

Please test this build and give feedback, whether your new root has been correctly added, including the trust flags.

Comment 11

9 years ago
(in reply to comment #10)
Kai, I've just tested *-win32.installer.exe on WinXP.  I confirm that the COMODO ECC Certification Authority root has been correctly added, including the trust flags.

Thanks.
(Assignee)

Comment 12

9 years ago
Comment on attachment 343488 [details] [diff] [review]
Patch v1

Asking Nelson for review.

Please ignore the changes to certdata.c

Please feel free to limit your review to the "addbuiltin command" that I executed and mentioned above.
Attachment #343488 - Flags: review?(nelson)
(Assignee)

Comment 13

9 years ago
Once reviewed I'll produce an equivalent patch for NSS 3.11.x and ask for separate review for 3.11 landing.
Attachment #343488 - Flags: review?(nelson) → review+
Comment on attachment 343488 [details] [diff] [review]
Patch v1

r=me
(Assignee)

Comment 15

9 years ago
checked in to trunk

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.51; previous revision: 1.50
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.50; previous revision: 1.49
done
Checking in nssckbi.h;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h,v  <--  nssckbi.h
new revision: 1.17; previous revision: 1.16
done
(Assignee)

Comment 16

9 years ago
The next decision is how to deliver NSS into Firefox 3.0.x

We don't have support to deliver a new NSS with code changes, Samuel Sidler rejected that as too risky at this point of time.

We have the option to deliver an updated snapshot like NSS_3_12_1_WITH_CKBI_1_72

I've proposed this to the NSS developers and are waiting for their opinions. Hopefully this will get approved.
(Assignee)

Comment 17

9 years ago
Created attachment 343931 [details] [diff] [review]
certdata.txt subset

This patch is a subset of Patch v1.
It contains the certdata.txt changes, and those already have r=nelson.

I'm requesting a second review from Bob for 3.11 checkin.
Attachment #343931 - Flags: superreview?(rrelyea)
Attachment #343931 - Flags: review+

Comment 18

9 years ago
Comment on attachment 343931 [details] [diff] [review]
certdata.txt subset

r+ rrelyea
Attachment #343931 - Flags: superreview?(rrelyea) → superreview+
(Assignee)

Comment 19

9 years ago
Thanks for the second review, checked in to NSS 3.11 branch:

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.36.24.14; previous revision: 1.36.24.13
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.37.24.13; previous revision: 1.37.24.12
done

Marking fixed.
(Assignee)

Comment 20

9 years ago
NSS tag NSS_3_12_1_WITH_CKBI_1_72_RTM has been produced, will now offer this tag to Mozilla drivers for the next Firefox 3.0.x release

Marking this bug fixed.
(Assignee)

Updated

9 years ago
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.12.2
You need to log in before you can comment on or make changes to this bug.