Closed Bug 499716 Opened 11 years ago Closed 10 years ago

Enable Buypass Class 3 CA 1 for EV in PSM

Categories

(Core :: Security: PSM, enhancement)

enhancement
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
status1.9.2 --- beta5-fixed
status1.9.1 --- .8-fixed

People

(Reporter: kwilson, Assigned: KaiE)

References

Details

Attachments

(1 file, 1 obsolete file)

Per bug 477028 the request from Buypass has been approved to enable its Buypass Class 3 CA 1 root certificate for EV use. Please make the corresponding changes to PSM.

The relevant information is as follows:

Friendly name: Buypass Class 3 CA 1

SHA1 Fingerprint: 
61:57:3a:11:df:0e:d8:7e:d5:92:65:22:ea:d0:56:d7:44:b3:23:71

EV policy OID:  
2.16.578.1.26.1.3.3

Test URL:  
https://evident.ssl.buypass.no/ssl/evident/
As the representative of the CA (Buypass) I hereby confirm that above
information / data is correct. 

Thanks for your efforts!


Rgds.,

John Arild A. Johansen  •  CSO •  Buypass AS
Hi, here at Buypass we're quite eager to get our certificates included, so I'm
posting a "request for status" for this bug to see if we can get som additional information on the schedule. 

Rgds., 
John

John Arild A. Johansen  •  CSO •  Buypass AS
I began to work on this.
I built a test version of Firefox, using the code from bug 499712 that added several new CAs.

My test used NSS 3.12.4.5 + new roots

When I connect to https://evident.ssl.buypass.no/ssl/evident/
I get an error message:

An error occurred during a connection to evident.ssl.buypass.no.
The OCSP server found the request to be corrupted or improperly formed.
(Error code: sec_error_ocsp_malformed_request)

It seems the OCSP server rejects our standard OCSP requests (that work well everywhere else) and the OCSP server does not give a valid response.

This is a failure in my profile, because I have configured Firefox to complain about OCSP server errors (security.ocsp.require = 1)

Buypass, please fix your OCSP server, before we can proceed with this bug and let us know.

If you believe this error is not on your side, then please provide evidence, log files, descriptions, etc.
Thank you.
Attached patch Patch v1 (obsolete) — Splinter Review
Code used to grant EV privileges to Buypass CA as requested.
However, because of the OCSP server error, no green EV chrome is seen yet, as expected.

We'll request code review after we have a positive test result.
Kai, our test site has now been fixed. 
Sorry for the inconvenience and thanks for your efforts so so far.
Thanks for the quick turnaround. I was able to get a green verification result with your test site.

We need a slightly different patch, will attach in a moment.
Attached patch Patch v2Splinter Review
I notice the existing code that processes our static list of EV roots is case sensitive, this new patch changes the fingerprint to all uppercase, in order to remind us when working on future additions.
Attachment #401121 - Attachment is obsolete: true
Attachment #401219 - Flags: review?(rrelyea)
Comment on attachment 401219 [details] [diff] [review]
Patch v2

r+ I presume Bypass is already in the nssckbi.

bob
Attachment #401219 - Flags: review?(rrelyea) → review+
Yes, see bug 499712  :-D

https://bugzilla.mozilla.org/show_bug.cgi?id=499712

Rgds.,

John Arild A. Johansen  •  CSO •  Buypass AS
Hi, here at Buypass we're quite eager to get our certificates included AND EV enabled...hopefully in version 3.6 of Firefox, so I'm posting a "request for status" for this bug.

Best regards, 
John
Prior to adding this patch to Mozilla, each desired branch must get updated to NSS 3.12.5, which will be released soon. I filed a tracker bug for this delivery.

Right now Mozilla still uses 3.12.4 (or earlier) on all branches.
Depends on: 527659
Depends on: 528277
No longer depends on: 527659
Hi, not beeing included in the current Beta4 of FireFox either...I take the liberty to again submit a "request for status" for this bug.

Best regards, 
John
Flags: blocking1.9.2?
Attachment #401219 - Flags: approval1.9.2+
Pushed to mozilla-central
http://hg.mozilla.org/mozilla-central/rev/d5ad580e03b1
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Attachment #401219 - Flags: approval1.9.1.7?
Flags: wanted1.9.2+
Flags: blocking1.9.2?
Flags: blocking1.9.2-
Comment on attachment 401219 [details] [diff] [review]
Patch v2

>+    "Buypass Class 3 CA 1", // for real entries use a string like "Sample INVALID EV OID"

The (copied) comment seems bogus here.
Comment on attachment 401219 [details] [diff] [review]
Patch v2

Approved for 1.9.1.8, a=dveditz for release-drivers
Attachment #401219 - Flags: approval1.9.1.8? → approval1.9.1.8+
Whiteboard: [needs 1.9.1 landing]
pushed
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab
Whiteboard: [needs 1.9.1 landing]
(In reply to comment #17)
> pushed
> http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab

Sorry, I made a mistake when I landed the patch into the Firefox 3.5.x, Mozilla 1.9.1 branch.

I accidentally landed the old patch, which used lowercase for the fingerprint, but we require uppercase for the comparison to succeed.

I propose to fix this by backing out the wrong patch and applying the correct patch.
I'm asking for blocking1.9.1 as a way to ask for approval to fix the wrong patch.
blocking1.9.1: --- → ?
Blocks: 546023
Messing with this bug further is going to confuse things, especially since we've already shipped this fix. We can fix this in bug 546023.
blocking1.9.1: ? → ---
No longer blocks: 546023
Depends on: 546023
You need to log in before you can comment on or make changes to this bug.