Enable COMODO ECC Certificate Authority for EV in PSM

VERIFIED FIXED

Status

()

--
enhancement
VERIFIED FIXED
11 years ago
11 years ago

People

(Reporter: hecker, Assigned: kaie)

Tracking

({verified1.9.0.4})

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

11 years ago
Per bug 421946 I have approved the request from Comodo to enable its Comodo ECC Certification Authority root certificate for EV use. Please make the corresponding changes to PSM.

The relevant information is as follows:

Name: Comodo ECC Certification Authority

SHA-1 fingerprint:
9F:74:4E:9F:2B:4D:BA:EC:0F:31:2C:50:B6:56:3B:8E:2D:93:C3:11

EV policy OID: 1.3.6.1.4.1.6449.1.2.1.5.1
(Reporter)

Updated

11 years ago
Blocks: 421946
Depends on: 450427

Comment 1

11 years ago
That's the correct SHA-1 fingerprint and EV Policy OID, but the Root Certificate's name has "COMODO" in capitals.  Thanks.
(Assignee)

Comment 2

11 years ago
I tried to test, but got an error with your test site:

https://comodoecccertificationauthority-ev.comodoca.com/


Secure Connection Failed

An error occurred during a connection to comodoecccertificationauthority-ev.comodoca.com.

The OCSP server has refused this request as unauthorized.

(Error code: sec_error_ocsp_unauthorized_request)
(Assignee)

Comment 3

11 years ago
Note that I got the previous error, because I configured my Firefox profile to treat certs as invalid, if an OCSP server connection fails.

If I switch Firefox into the relaxed mode (default), I can connect to your site, but I don't get the EV UI, because of the OCSP failure.
(Assignee)

Comment 4

11 years ago
Posted patch Patch v1Splinter Review

Comment 5

11 years ago
(in reply to Comments #2 and #3)
Kai, Bug #421946 Comment #2 still applies today.  We anticipate bringing our ECC private keys online soon.  Once we've done that, we will be able to generate OCSP Responses properly.

(further to Bug #450427 Comment #11)
Since Bug #413997 is still unresolved, I've just tested your *-win32.installer.exe test build with our "second test EV certificate that contains neither CRL nor OCSP URLs".  I got the EV UI.  :-)

(in reply to Comment #4)
I notice that your Patch v1 also adds a missing comma to the entry for the Sample Certification Authority.  Now that there are 20+ real EV Roots in myTrustedEVInfos[], I think that the entry for Sample Certification Authority has served its purpose and could now be removed.  What do you think?
(Assignee)

Updated

11 years ago
Attachment #343489 - Flags: review?(rrelyea)
(Assignee)

Comment 6

11 years ago
Comment on attachment 343489 [details] [diff] [review]
Patch v1

I need this review very soon, or we'll miss the train. CHeckin deadline is Friday, but I will be travelling on Friday. Given that we review, trunk checkin, branch approval, then branch landing, we're very short in time.
Attachment #343489 - Flags: superreview?(nelson)
Comment on attachment 343489 [details] [diff] [review]
Patch v1

r=nelson
Attachment #343489 - Flags: superreview?(nelson) → review+
(Assignee)

Comment 8

11 years ago
Comment on attachment 343489 [details] [diff] [review]
Patch v1

Nelson, thanks for helping out with this review.
Attachment #343489 - Flags: review?(rrelyea)
(Assignee)

Comment 9

11 years ago
Pushed to mozilla-central, although I realize it doesn't make much sense without landing NSS, will do that soon.

20742:91cdfc32b8d4
(Assignee)

Updated

11 years ago
Blocks: 451305
(Assignee)

Comment 10

11 years ago
Comment on attachment 343489 [details] [diff] [review]
Patch v1

required for bug 451305
Attachment #343489 - Flags: approval1.9.0.4?
Attachment #343489 - Flags: approval1.9.0.4? → approval1.9.0.4+
Comment on attachment 343489 [details] [diff] [review]
Patch v1

Approved for 1.9.0.4, a=dveditz for release-drivers
(Assignee)

Comment 12

11 years ago
Checked in to cvs trunk for 1.9.0.4

Checking in nsIdentityChecking.cpp;
/cvsroot/mozilla/security/manager/ssl/src/nsIdentityChecking.cpp,v  <--  nsIdentityChecking.cpp
new revision: 1.25; previous revision: 1.24
done
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Keywords: fixed1.9.0.4
Resolution: --- → FIXED
Verified for 1.9.0.4 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.4pre) Gecko/2008102306 GranParadiso/3.0.4pre. I don't get the security error any longer that I receive with 3.0.3.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.0.4 → verified1.9.0.4
You need to log in before you can comment on or make changes to this bug.