Per bug 477028 the request from Buypass has been approved to enable its Buypass Class 3 CA 1 root certificate for EV use. Please make the corresponding changes to PSM. The relevant information is as follows: Friendly name: Buypass Class 3 CA 1 SHA1 Fingerprint: 61:57:3a:11:df:0e:d8:7e:d5:92:65:22:ea:d0:56:d7:44:b3:23:71 EV policy OID: 2.16.5220.127.116.11.3.3 Test URL: https://evident.ssl.buypass.no/ssl/evident/
As the representative of the CA (Buypass) I hereby confirm that above information / data is correct. Thanks for your efforts! Rgds., John Arild A. Johansen • CSO • Buypass AS
Hi, here at Buypass we're quite eager to get our certificates included, so I'm posting a "request for status" for this bug to see if we can get som additional information on the schedule. Rgds., John John Arild A. Johansen • CSO • Buypass AS
I began to work on this. I built a test version of Firefox, using the code from bug 499712 that added several new CAs. My test used NSS 18.104.22.168 + new roots When I connect to https://evident.ssl.buypass.no/ssl/evident/ I get an error message: An error occurred during a connection to evident.ssl.buypass.no. The OCSP server found the request to be corrupted or improperly formed. (Error code: sec_error_ocsp_malformed_request) It seems the OCSP server rejects our standard OCSP requests (that work well everywhere else) and the OCSP server does not give a valid response. This is a failure in my profile, because I have configured Firefox to complain about OCSP server errors (security.ocsp.require = 1) Buypass, please fix your OCSP server, before we can proceed with this bug and let us know. If you believe this error is not on your side, then please provide evidence, log files, descriptions, etc. Thank you.
Created attachment 401121 [details] [diff] [review] Patch v1 Code used to grant EV privileges to Buypass CA as requested. However, because of the OCSP server error, no green EV chrome is seen yet, as expected. We'll request code review after we have a positive test result.
Kai, our test site has now been fixed. Sorry for the inconvenience and thanks for your efforts so so far.
Thanks for the quick turnaround. I was able to get a green verification result with your test site. We need a slightly different patch, will attach in a moment.
Created attachment 401219 [details] [diff] [review] Patch v2 I notice the existing code that processes our static list of EV roots is case sensitive, this new patch changes the fingerprint to all uppercase, in order to remind us when working on future additions.
Comment on attachment 401219 [details] [diff] [review] Patch v2 r+ I presume Bypass is already in the nssckbi. bob
Yes, see bug 499712 :-D https://bugzilla.mozilla.org/show_bug.cgi?id=499712 Rgds., John Arild A. Johansen • CSO • Buypass AS
Hi, here at Buypass we're quite eager to get our certificates included AND EV enabled...hopefully in version 3.6 of Firefox, so I'm posting a "request for status" for this bug. Best regards, John
Prior to adding this patch to Mozilla, each desired branch must get updated to NSS 3.12.5, which will be released soon. I filed a tracker bug for this delivery. Right now Mozilla still uses 3.12.4 (or earlier) on all branches.
Hi, not beeing included in the current Beta4 of FireFox either...I take the liberty to again submit a "request for status" for this bug. Best regards, John
Pushed to mozilla-central http://hg.mozilla.org/mozilla-central/rev/d5ad580e03b1
pushed to mozilla-1.9.2 http://hg.mozilla.org/releases/mozilla-1.9.2/rev/6b2b01c69d4e
Comment on attachment 401219 [details] [diff] [review] Patch v2 >+ "Buypass Class 3 CA 1", // for real entries use a string like "Sample INVALID EV OID" The (copied) comment seems bogus here.
Comment on attachment 401219 [details] [diff] [review] Patch v2 Approved for 22.214.171.124, a=dveditz for release-drivers
(In reply to comment #17) > pushed > http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab Sorry, I made a mistake when I landed the patch into the Firefox 3.5.x, Mozilla 1.9.1 branch. I accidentally landed the old patch, which used lowercase for the fingerprint, but we require uppercase for the comparison to succeed. I propose to fix this by backing out the wrong patch and applying the correct patch.
I'm asking for blocking1.9.1 as a way to ask for approval to fix the wrong patch.
Messing with this bug further is going to confuse things, especially since we've already shipped this fix. We can fix this in bug 546023.