Closed Bug 450429 Opened 16 years ago Closed 16 years ago

Enable COMODO ECC Certificate Authority for EV in PSM

Categories

(Core :: Security: PSM, enhancement)

enhancement
Not set
normal

Tracking

()

VERIFIED FIXED

People

(Reporter: hecker, Assigned: KaiE)

References

Details

(Keywords: verified1.9.0.4)

Attachments

(1 file)

Per bug 421946 I have approved the request from Comodo to enable its Comodo ECC Certification Authority root certificate for EV use. Please make the corresponding changes to PSM.

The relevant information is as follows:

Name: Comodo ECC Certification Authority

SHA-1 fingerprint:
9F:74:4E:9F:2B:4D:BA:EC:0F:31:2C:50:B6:56:3B:8E:2D:93:C3:11

EV policy OID: 1.3.6.1.4.1.6449.1.2.1.5.1
Blocks: 421946
Depends on: 450427
That's the correct SHA-1 fingerprint and EV Policy OID, but the Root Certificate's name has "COMODO" in capitals.  Thanks.
I tried to test, but got an error with your test site:

https://comodoecccertificationauthority-ev.comodoca.com/


Secure Connection Failed

An error occurred during a connection to comodoecccertificationauthority-ev.comodoca.com.

The OCSP server has refused this request as unauthorized.

(Error code: sec_error_ocsp_unauthorized_request)
Note that I got the previous error, because I configured my Firefox profile to treat certs as invalid, if an OCSP server connection fails.

If I switch Firefox into the relaxed mode (default), I can connect to your site, but I don't get the EV UI, because of the OCSP failure.
Attached patch Patch v1Splinter Review
(in reply to Comments #2 and #3)
Kai, Bug #421946 Comment #2 still applies today.  We anticipate bringing our ECC private keys online soon.  Once we've done that, we will be able to generate OCSP Responses properly.

(further to Bug #450427 Comment #11)
Since Bug #413997 is still unresolved, I've just tested your *-win32.installer.exe test build with our "second test EV certificate that contains neither CRL nor OCSP URLs".  I got the EV UI.  :-)

(in reply to Comment #4)
I notice that your Patch v1 also adds a missing comma to the entry for the Sample Certification Authority.  Now that there are 20+ real EV Roots in myTrustedEVInfos[], I think that the entry for Sample Certification Authority has served its purpose and could now be removed.  What do you think?
Attachment #343489 - Flags: review?(rrelyea)
Comment on attachment 343489 [details] [diff] [review]
Patch v1

I need this review very soon, or we'll miss the train. CHeckin deadline is Friday, but I will be travelling on Friday. Given that we review, trunk checkin, branch approval, then branch landing, we're very short in time.
Attachment #343489 - Flags: superreview?(nelson)
Comment on attachment 343489 [details] [diff] [review]
Patch v1

r=nelson
Attachment #343489 - Flags: superreview?(nelson) → review+
Comment on attachment 343489 [details] [diff] [review]
Patch v1

Nelson, thanks for helping out with this review.
Attachment #343489 - Flags: review?(rrelyea)
Pushed to mozilla-central, although I realize it doesn't make much sense without landing NSS, will do that soon.

20742:91cdfc32b8d4
Blocks: ev303
Comment on attachment 343489 [details] [diff] [review]
Patch v1

required for bug 451305
Attachment #343489 - Flags: approval1.9.0.4?
Attachment #343489 - Flags: approval1.9.0.4? → approval1.9.0.4+
Comment on attachment 343489 [details] [diff] [review]
Patch v1

Approved for 1.9.0.4, a=dveditz for release-drivers
Checked in to cvs trunk for 1.9.0.4

Checking in nsIdentityChecking.cpp;
/cvsroot/mozilla/security/manager/ssl/src/nsIdentityChecking.cpp,v  <--  nsIdentityChecking.cpp
new revision: 1.25; previous revision: 1.24
done
Status: NEW → RESOLVED
Closed: 16 years ago
Keywords: fixed1.9.0.4
Resolution: --- → FIXED
Verified for 1.9.0.4 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4pre) Gecko/2008102306 GranParadiso/3.0.4pre. I don't get the security error any longer that I receive with 3.0.3.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.