Closed Bug 521869 Opened 15 years ago Closed 15 years ago

Add thawte Primary Root CA - G2 and G3 root certificates to NSS

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: KaiE)

References

Details

Attachments

(2 files)

G2 Root
652 bytes, application/x-x509-ca-cert
Details
G3 Root
1.04 KB, application/x-x509-ca-cert
Details 
This bug requests inclusion in the NSS root certificate store of the following two certificates, owned by Thawte (a subsidiary of VeriSign).

Friendly name: thawte Primary Root CA - G2
Certificate location: 
https://bugzilla.mozilla.org/attachment.cgi?id=335551
SHA1 Fingerprint: 
AA:DB:BC:22:23:8F:C4:01:A1:27:BB:38:DD:F4:1D:DB:08:9E:F0:12
Trust flags: web sites, code signing
Test URL: https://ecc-test-valid.thawte.com

Friendly name: thawte Primary Root CA - G3
Certificate location: 
https://bugzilla.mozilla.org/attachment.cgi?id=369000
SHA1 Fingerprint: 
F1:8B:53:8D:1B:E9:03:B6:A6:F0:56:43:5B:17:15:89:CA:F3:6B:F2
Trust flags: web sites, code signing
Test URL: https://ptnr-thawte256.bbtest.net

This CA has been assessed in accordance with the Mozilla project guidelines,
and the root certificates have been approved for inclusion in bug #409237 and bug #484903.

The next steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is
correct, and that the correct certificate(s) have been attached. They must also
specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new
certificate(s), and attaches nssckbi.dll to this bug. A representative of the
CA must download this, drop it into a copy of Firefox and/or Thunderbird on the
OS in question and confirm (by adding a comment here) that the certificate(s)
have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and
marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a
version of NSS which contains the certificate(s). This process is mostly under the control of the release drivers for those products.
Attached file G2 Root 

    
    

    
  

      
      
      
      

        Attached file
          
        G3 Root
      

    


  

    
    

    
  
Jay, Please see step #1 above.

    
    

    
  
still waiting for data verification from thawte

    
    

    
  
Hi Kai, all the information looks correct. We will use XP Pro SP2 as the OS.

    
  
Depends on: 527759

    
    

    
  
Please perform the test (3) mentioned in the initial comment in this bug.

Instead of using a separate nssckbi.dll, I've produced a full test firefox build, please download from:
https://build.mozilla.org/tryserver-builds/kaie@kuix.de-bug527759/

We'll wait for you to confirm your root(s) have been added correctly to this test build (cert listed in cert manager, trust flags as expected, you can connect to your test site as expected).

    
    

    
  
We checked the test build above and confirmed the thawte Primary Root CA - G2 root is added to the build and we could
successfully access the test site listed above using a cert issued from this
root. The trust bits (SSL/TLS) and Email (SMIME) that we requested, were
enabled. However, we did request this root to have the code signing trust bit
enabled, which we did not see.

    
    

    
  
We checked the test build above and confirmed the thawte Primary Root CA - G3
root is added to the build and we could
successfully access the test site listed above using a cert issued from this
root. The trust bits (SSL/TLS) and Email (SMIME) that we requested, were
enabled. However, we did request this root to have the code signing trust bit
enabled, which we did not see.

    
    

    
  
Jay, according to my own verification, the code signing trust bit is enabled for both G2 and G3 roots.

In order to verify, I used the following steps:
- start firefox
- open certificate manager
- go to authorities tab
- scroll down to thawte, Inc.
- select thawte Primary Root CA - G2 (or G3)
- click "Edit"

A dialog open which has the following 2 checkboxes checked:
- identify web sites
- identify software makers


I believe code signing is enabled.

What do you see when you perform above steps?
Is "identify software makers" checked or not checked?

Please tell me, how did you test and reach your conclusion that code signing bit is missing?

    
    

    
  
Hi Kai, 

Thanks for the instructions. I followed those steps and did verify "identify software makers" is checked for these two roots. From our side the testing is complete and everything looks correct.

Jay

    
    

    
  
Resolved fixed by Bug 527759
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: