Last Comment Bug 450427 - Add COMODO ECC Certification Authority certificate to NSS
: Add COMODO ECC Certification Authority certificate to NSS
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: unspecified
: All All
: -- enhancement (vote)
: 3.12.2
Assigned To: Kai Engert (:kaie)
Depends on:
Blocks: 450429
  Show dependency treegraph
Reported: 2008-08-13 09:07 PDT by Frank Hecker
Modified: 2008-10-20 21:45 PDT (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---

Patch v1 (16.44 KB, patch)
2008-10-16 18:44 PDT, Kai Engert (:kaie)
nelson: review+
Details | Diff | Splinter Review
certdata.txt subset (6.26 KB, patch)
2008-10-20 10:03 PDT, Kai Engert (:kaie)
kaie: review+
rrelyea: superreview+
Details | Diff | Splinter Review

Description Frank Hecker 2008-08-13 09:07:22 PDT
This bug requests inclusion in the NSS root certificate store of the following certificate, owned by Comodo:

Friendly name: "Comodo ECC Certification Authority"
Certificate location:
SHA1 Fingerprint:
Trust flags: all

This CA has been assessed in accordance with the Mozilla project guidelines, and the certificate(s) approved for inclusion in bug 421946.

The next steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate(s). This process is mostly under the control of the release drivers for those products.
Comment 1 Rob Stradling 2008-08-13 11:24:31 PDT
Hi. The data in this bug is all correct, except for one minor thing...

Please change "Comodo" to "COMODO" to make the friendly name "COMODO ECC Certification Authority".  This is the exact value of the Common Name in the certificate.

Comment 2 Rob Stradling 2008-08-13 13:43:37 PDT
Kai, do you think you'll be able to get this Root Certificate added in time for the Firefox 3.0.2 code freeze this Friday (15th) ?
Comment 3 Kai Engert (:kaie) 2008-08-14 06:28:41 PDT
(In reply to comment #2)
> Kai, do you think you'll be able to get this Root Certificate added in time for
> the Firefox 3.0.2 code freeze this Friday (15th) ?

No, sorry, no way. The time is too short for doing the binary test build.
Comment 4 Rob Stradling 2008-09-25 02:20:33 PDT
Kai, it's been 6 weeks.  Is there a reason for the hold up?

Frank told me a while ago that we could reasonably expect this Root to be targeted for Firefox 3.0.3.

Comment 5 Kai Engert (:kaie) 2008-09-25 05:51:48 PDT
I must try to minimize work, and adding several CAs in a single step saves a lot of repetitive work.

I'm waiting for a GO signal that no additional CAs are desired for the next round of CA additions. I have sent email to Frank, asking him about the plans for this round.
Comment 6 Rob Stradling 2008-10-14 06:25:06 PDT
Kai, any news?  Have you received "a GO signal" from Frank yet?

Also, I've just noticed a couple of errors for this Root's entry on:

"Modulus (key length)	2048" should in fact be...
"Modulus (key length)	SECG elliptic curve secp384r1 (aka NIST P-384)"

"Valid From	2000-03-06" should in fact be...
"Valid From	2008-03-06"

Comment 7 Kai Engert (:kaie) 2008-10-16 13:32:53 PDT
Rob, I've now coordinated with Frank, and we decided that your root will be the only new root for the next round. I've also learned that the code freeze for FF 3.0.4 will be Oct 24, so we'll have to work quickly. I'll try to produce a test binary roots module today, would be great if you could prepare to get it tested soon. More updates from me today.
Comment 8 Kai Engert (:kaie) 2008-10-16 18:44:37 PDT
Created attachment 343488 [details] [diff] [review]
Patch v1
Comment 9 Kai Engert (:kaie) 2008-10-16 18:46:32 PDT
Change to certdata.txt was produced using:

addbuiltin -n "COMODO ECC Certification Authority" -t C,C,C < COMODOECCCertificationAuthority.crt >> mozilla/security/nss/lib/ckfw/builtins/certdata.txt
Comment 10 Kai Engert (:kaie) 2008-10-16 20:58:00 PDT
I prepared a Firefox TEST build that should contain the new root as intended.

Please try one of the builds from this directory:

Please test this build and give feedback, whether your new root has been correctly added, including the trust flags.
Comment 11 Rob Stradling 2008-10-17 00:21:17 PDT
(in reply to comment #10)
Kai, I've just tested *-win32.installer.exe on WinXP.  I confirm that the COMODO ECC Certification Authority root has been correctly added, including the trust flags.

Comment 12 Kai Engert (:kaie) 2008-10-17 09:11:31 PDT
Comment on attachment 343488 [details] [diff] [review]
Patch v1

Asking Nelson for review.

Please ignore the changes to certdata.c

Please feel free to limit your review to the "addbuiltin command" that I executed and mentioned above.
Comment 13 Kai Engert (:kaie) 2008-10-17 09:12:32 PDT
Once reviewed I'll produce an equivalent patch for NSS 3.11.x and ask for separate review for 3.11 landing.
Comment 14 Nelson Bolyard (seldom reads bugmail) 2008-10-17 09:20:27 PDT
Comment on attachment 343488 [details] [diff] [review]
Patch v1

Comment 15 Kai Engert (:kaie) 2008-10-17 16:07:07 PDT
checked in to trunk

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.51; previous revision: 1.50
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.50; previous revision: 1.49
Checking in nssckbi.h;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h,v  <--  nssckbi.h
new revision: 1.17; previous revision: 1.16
Comment 16 Kai Engert (:kaie) 2008-10-17 16:34:54 PDT
The next decision is how to deliver NSS into Firefox 3.0.x

We don't have support to deliver a new NSS with code changes, Samuel Sidler rejected that as too risky at this point of time.

We have the option to deliver an updated snapshot like NSS_3_12_1_WITH_CKBI_1_72

I've proposed this to the NSS developers and are waiting for their opinions. Hopefully this will get approved.
Comment 17 Kai Engert (:kaie) 2008-10-20 10:03:13 PDT
Created attachment 343931 [details] [diff] [review]
certdata.txt subset

This patch is a subset of Patch v1.
It contains the certdata.txt changes, and those already have r=nelson.

I'm requesting a second review from Bob for 3.11 checkin.
Comment 18 Robert Relyea 2008-10-20 17:47:24 PDT
Comment on attachment 343931 [details] [diff] [review]
certdata.txt subset

r+ rrelyea
Comment 19 Kai Engert (:kaie) 2008-10-20 21:09:14 PDT
Thanks for the second review, checked in to NSS 3.11 branch:

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision:; previous revision:
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision:; previous revision:

Marking fixed.
Comment 20 Kai Engert (:kaie) 2008-10-20 21:10:17 PDT
NSS tag NSS_3_12_1_WITH_CKBI_1_72_RTM has been produced, will now offer this tag to Mozilla drivers for the next Firefox 3.0.x release

Marking this bug fixed.

Note You need to log in before you can comment on or make changes to this bug.