Per bug 421946 I have approved the request from Comodo to enable its Comodo ECC Certification Authority root certificate for EV use. Please make the corresponding changes to PSM. The relevant information is as follows: Name: Comodo ECC Certification Authority SHA-1 fingerprint: 9F:74:4E:9F:2B:4D:BA:EC:0F:31:2C:50:B6:56:3B:8E:2D:93:C3:11 EV policy OID: 184.108.40.206.4.1.64220.127.116.11.5.1
That's the correct SHA-1 fingerprint and EV Policy OID, but the Root Certificate's name has "COMODO" in capitals. Thanks.
I tried to test, but got an error with your test site: https://comodoecccertificationauthority-ev.comodoca.com/ Secure Connection Failed An error occurred during a connection to comodoecccertificationauthority-ev.comodoca.com. The OCSP server has refused this request as unauthorized. (Error code: sec_error_ocsp_unauthorized_request)
Note that I got the previous error, because I configured my Firefox profile to treat certs as invalid, if an OCSP server connection fails. If I switch Firefox into the relaxed mode (default), I can connect to your site, but I don't get the EV UI, because of the OCSP failure.
(in reply to Comments #2 and #3) Kai, Bug #421946 Comment #2 still applies today. We anticipate bringing our ECC private keys online soon. Once we've done that, we will be able to generate OCSP Responses properly. (further to Bug #450427 Comment #11) Since Bug #413997 is still unresolved, I've just tested your *-win32.installer.exe test build with our "second test EV certificate that contains neither CRL nor OCSP URLs". I got the EV UI. :-) (in reply to Comment #4) I notice that your Patch v1 also adds a missing comma to the entry for the Sample Certification Authority. Now that there are 20+ real EV Roots in myTrustedEVInfos, I think that the entry for Sample Certification Authority has served its purpose and could now be removed. What do you think?
Comment on attachment 343489 [details] [diff] [review] Patch v1 I need this review very soon, or we'll miss the train. CHeckin deadline is Friday, but I will be travelling on Friday. Given that we review, trunk checkin, branch approval, then branch landing, we're very short in time.
Attachment #343489 - Flags: superreview?(nelson)
Comment on attachment 343489 [details] [diff] [review] Patch v1 r=nelson
Attachment #343489 - Flags: superreview?(nelson) → review+
Comment on attachment 343489 [details] [diff] [review] Patch v1 Nelson, thanks for helping out with this review.
Pushed to mozilla-central, although I realize it doesn't make much sense without landing NSS, will do that soon. 20742:91cdfc32b8d4
Comment on attachment 343489 [details] [diff] [review] Patch v1 required for bug 451305
Attachment #343489 - Flags: approval18.104.22.168?
Attachment #343489 - Flags: approval22.214.171.124? → approval126.96.36.199+
Comment on attachment 343489 [details] [diff] [review] Patch v1 Approved for 188.8.131.52, a=dveditz for release-drivers
Checked in to cvs trunk for 184.108.40.206 Checking in nsIdentityChecking.cpp; /cvsroot/mozilla/security/manager/ssl/src/nsIdentityChecking.cpp,v <-- nsIdentityChecking.cpp new revision: 1.25; previous revision: 1.24 done
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Verified for 220.127.116.11 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:18.104.22.168pre) Gecko/2008102306 GranParadiso/3.0.4pre. I don't get the security error any longer that I receive with 3.0.3.
Status: RESOLVED → VERIFIED
Keywords: fixed22.214.171.124 → verified126.96.36.199
You need to log in before you can comment on or make changes to this bug.