515470 - Add VeriSign Universal Root Certification Authority root certificate to NSS

Status: RESOLVED FIXED

(NSS :: CA Certificates Code, task, P2)

Description

[Kathleen Wilson]

This bug requests inclusion in the NSS root certificate store of the following certificate, owned by VeriSign.

Friendly name: 
VeriSign Universal Root Certification Authority

Certificate location: 
https://bugzilla.mozilla.org/attachment.cgi?id=368998
 (will also attach to this bug)

SHA1 Fingerprint: 
36:79:CA:35:66:87:72:30:4D:30:A5:FB:87:3B:0F:A7:7B:B7:0D:54

Trust flags: web sites, email, code signing

Test URL: https://ptnr-verisign256.bbtest.net

This CA has been assessed in accordance with the Mozilla project guidelines,
and the root certificates have been approved for inclusion in bug 484901.

The next steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is
correct, and that the correct certificate(s) have been attached. They must also
specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new
certificate(s), and attaches nssckbi.dll to this bug. A representative of the
CA must download this, drop it into a copy of Firefox and/or Thunderbird on the
OS in question and confirm (by adding a comment here) that the certificate(s)
have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and
marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a
version of NSS which contains the certificate. This process is mostly under the
control of the release drivers for those products.

Comment 1

[Kathleen Wilson]

Attachment: VeriSign Universal Root Certification Authority root cert

Comment 2

[Kathleen Wilson]

Jay, Please see step #1 above.

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

taking.

Comment 4

[Jay Schiavo]

This is to confirm the data in the bug looks correct and that the correct
certificate is attached. For the OS to do the verification, we will use Window
XP Pro SP2.

Comment 5

[Kai Engert [:KaiE:]]

Please perform the test (3) mentioned in the initial comment in this bug.

Instead of using a separate nssckbi.dll, I've produced a full test firefox
build, please download from:
https://build.mozilla.org/tryserver-builds/kaie@kuix.de-bug527759-11/

We'll wait for you to confirm your root(s) have been added correctly to this
test build (cert listed in cert manager, trust flags as expected, you can
connect to your test site as expected).

Comment 6

[Jay Schiavo]

We checked the test build above and confirmed the VeriSign Universal Root Certification Authority root is added to the build and we could successfully access the test site listed above using a cert issued from this root. The trust bits (SSL/TLS) and Email (SMIME) that we requested, were enabled. However, we did request this root to have the code signing trust bit enabled, which we did not see.

Comment 7

[Kai Engert [:KaiE:]]

Jay, according to my own verification, the code signing trust bit is enabled
for this root.

In order to verify, I used the following steps:
- start firefox
- open certificate manager
- go to authorities tab
- scroll down to Verisign, Inc.
- select Verisign Universal Root...
- click "Edit"

A dialog open which has the following 2 checkboxes checked:
- identify web sites
- identify mail users
- identify software makers


I believe code signing is enabled.

What do you see when you perform above steps?
Is "identify software makers" checked or not checked?

Please tell me, how did you test and reach your conclusion that code signing
bit is missing?

Comment 8

[Jay Schiavo]

Hi Kai, 

Thanks for the instructions. I followed those steps and did verify "identify software makers" is checked. From our side the testing is complete and everything looks correct.

Jay

Comment 9

[Kai Engert [:KaiE:]]

Resolved fixed by Bug 527759