Closed Bug 450427 Opened 13 years ago Closed 13 years ago

Add COMODO ECC Certification Authority certificate to NSS


(NSS :: Libraries, enhancement)

Not set


(Not tracked)



(Reporter: hecker, Assigned: KaiE)




(2 files)

This bug requests inclusion in the NSS root certificate store of the following certificate, owned by Comodo:

Friendly name: "Comodo ECC Certification Authority"
Certificate location:
SHA1 Fingerprint:
Trust flags: all

This CA has been assessed in accordance with the Mozilla project guidelines, and the certificate(s) approved for inclusion in bug 421946.

The next steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate(s). This process is mostly under the control of the release drivers for those products.
Blocks: 450429
Hi. The data in this bug is all correct, except for one minor thing...

Please change "Comodo" to "COMODO" to make the friendly name "COMODO ECC Certification Authority".  This is the exact value of the Common Name in the certificate.

Kai, do you think you'll be able to get this Root Certificate added in time for the Firefox 3.0.2 code freeze this Friday (15th) ?
(In reply to comment #2)
> Kai, do you think you'll be able to get this Root Certificate added in time for
> the Firefox 3.0.2 code freeze this Friday (15th) ?

No, sorry, no way. The time is too short for doing the binary test build.
Kai, it's been 6 weeks.  Is there a reason for the hold up?

Frank told me a while ago that we could reasonably expect this Root to be targeted for Firefox 3.0.3.

I must try to minimize work, and adding several CAs in a single step saves a lot of repetitive work.

I'm waiting for a GO signal that no additional CAs are desired for the next round of CA additions. I have sent email to Frank, asking him about the plans for this round.
Kai, any news?  Have you received "a GO signal" from Frank yet?

Also, I've just noticed a couple of errors for this Root's entry on:

"Modulus (key length)	2048" should in fact be...
"Modulus (key length)	SECG elliptic curve secp384r1 (aka NIST P-384)"

"Valid From	2000-03-06" should in fact be...
"Valid From	2008-03-06"

Rob, I've now coordinated with Frank, and we decided that your root will be the only new root for the next round. I've also learned that the code freeze for FF 3.0.4 will be Oct 24, so we'll have to work quickly. I'll try to produce a test binary roots module today, would be great if you could prepare to get it tested soon. More updates from me today.
Attached patch Patch v1Splinter Review
Change to certdata.txt was produced using:

addbuiltin -n "COMODO ECC Certification Authority" -t C,C,C < COMODOECCCertificationAuthority.crt >> mozilla/security/nss/lib/ckfw/builtins/certdata.txt
I prepared a Firefox TEST build that should contain the new root as intended.

Please try one of the builds from this directory:

Please test this build and give feedback, whether your new root has been correctly added, including the trust flags.
(in reply to comment #10)
Kai, I've just tested *-win32.installer.exe on WinXP.  I confirm that the COMODO ECC Certification Authority root has been correctly added, including the trust flags.

Comment on attachment 343488 [details] [diff] [review]
Patch v1

Asking Nelson for review.

Please ignore the changes to certdata.c

Please feel free to limit your review to the "addbuiltin command" that I executed and mentioned above.
Attachment #343488 - Flags: review?(nelson)
Once reviewed I'll produce an equivalent patch for NSS 3.11.x and ask for separate review for 3.11 landing.
Attachment #343488 - Flags: review?(nelson) → review+
checked in to trunk

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.51; previous revision: 1.50
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.50; previous revision: 1.49
Checking in nssckbi.h;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/nssckbi.h,v  <--  nssckbi.h
new revision: 1.17; previous revision: 1.16
The next decision is how to deliver NSS into Firefox 3.0.x

We don't have support to deliver a new NSS with code changes, Samuel Sidler rejected that as too risky at this point of time.

We have the option to deliver an updated snapshot like NSS_3_12_1_WITH_CKBI_1_72

I've proposed this to the NSS developers and are waiting for their opinions. Hopefully this will get approved.
This patch is a subset of Patch v1.
It contains the certdata.txt changes, and those already have r=nelson.

I'm requesting a second review from Bob for 3.11 checkin.
Attachment #343931 - Flags: superreview?(rrelyea)
Attachment #343931 - Flags: review+
Comment on attachment 343931 [details] [diff] [review]
certdata.txt subset

r+ rrelyea
Attachment #343931 - Flags: superreview?(rrelyea) → superreview+
Thanks for the second review, checked in to NSS 3.11 branch:

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision:; previous revision:
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision:; previous revision:

Marking fixed.
NSS tag NSS_3_12_1_WITH_CKBI_1_72_RTM has been produced, will now offer this tag to Mozilla drivers for the next Firefox 3.0.x release

Marking this bug fixed.
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.12.2
You need to log in before you can comment on or make changes to this bug.