Closed Bug 534274 Opened 10 years ago Closed 10 years ago

Remove/Disable legacy roots without current audit reports/statements

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: kwilson)

References

Details

The following roots have expired. I propose that they be removed from NSS.

CN = ABA.ECOM Root CA
1999 Jul 12 to 2009 Jul 09 
2048, SHA-1
(From the CA: IdenTrust owns this root and has decided not to renew it and Mozilla can remove it.)

CN = DST RootCA X1
1998 Dec 01 to 2008 Nov 28 
2048, SHA-1
(Replaced by DST Root CA X3)

C = DST RootCA X2
1998 Nov 30 to 2008 Nov 27 
2048, SHA-1
(Replaced by DST ACES CA X6)


For the following roots the CA has requested that the roots be removed from NSS. These roots are no longer in use, and no longer audited. I propose that these 2 roots be removed from NSS.

O = StartCom Ltd.
CN = Free SSL Certification Authority
2005 Mar 17 to 2035 Mar 10
1024, MD5
Removal requested by CA in bug #487150

OU = Visa International Service Association
CN = GP Root 2
2000 Aug 16 to 2020 Aug 15
2048, SHA-1
Removal requested by CA in bug #380067


The following roots are legacy roots that are owned by Verizon. I do not have recent audit reports/statements for these roots. I will appreciate it if a representative of Verizon will confirm that the expired root can be removed from NSS, and that the beTrusted roots can be disabled (all three trust bits turned off). 

CN = GTE CyberTrust Root
1996 Feb 23 to 2006 Feb 23  (expired)
(Owned by Verizon)
(Bug #416684 requests removal of this root, but doesn’t seem to be from a Verizon representative.)

CN = beTRUSTed Root CA
2000 Jun 20 to 2010 Jun 20
2048, SHA-1

CN = beTRUSTed Root CA-Baltimore Implementation
2002 Apr 11 to 2022 Apr 11
2048, SHA-1

CN = beTRUSTed Root CA - Entrust Implementation
2002 Apr 11 to 2022 Apr 11
2048, SHA-1

CN = beTRUSTed Root CA - RSA Implementation
2002 Apr 11 to 2022 Apr 12
2048, SHA-1


The following roots are legacy roots that are owned by Entrust.  I do not have recent audit reports/statements for these roots. I will appreciate it if a representative of Entrust will confirm that these roots can be disabled (all three trust bits turned off). 
 
CN = Entrust.net Client Certification Authority
1999 Oct 12 to 2019 Oct 12
1024, MD5

CN = Entrust.net Secure Server Certification Authority
2000 Feb 04 to 2020 Feb 04
1024, MD5

CN = Entrust.net Client Certification Authority
2000 Feb 07 to 2020 Feb 07
1024, MD5


The following root is a legacy root that is owned by VeriSign.  I do not have a recent audit report/statement for this root. I will appreciate it if a representative of VeriSign will confirm that this root can be disabled (all three trust bits turned off). 

CN = UTN-USERFirst-Network Applications
1999 Jul 09 to 2019 Jul 09
2048, SHA-1


The following roots are legacy roots that are owned by Go Daddy / Starfield.  I do not have recent audit reports/statements for these roots. I will appreciate it if a representative of Go Daddy / Starfield will confirm that these roots can be disabled (all three trust bits turned off). 

OU = ValiCert Class 1 Policy Validation Authority
CN = http://www.valicert.com/
1999 Jun 25 to 2019 Jun 25
1024, SHA-1

OU = ValiCert Class 3 Policy Validation Authority
CN = http://www.valicert.com/
1999 Jun 25 to 2019 Jun 25
1024, SHA-1
Status: NEW → ASSIGNED
Steve, Bruce, Jay, and Mr. Dolan,

As representatives of a CA for roots listed above, please confirm that the roots listed may be removed or disabled (all trust bits turned off) in NSS.
Kathleen,

On behalf of Entrust, I confirm that the three Entrust.net roots listed in this Bug can be disabled.

Bruce.
Hi Kathleen,

Yes, you can disable the UTN-USERFirst-Network Applications listed in this bug.

Jay
Hello Kathleen,

Go Daddy / Starfield owns the Valicert Class 2 roots.  We cannot speak for the roots listed above.

Thanks,
Patrick
Bruce and Jay, Thank you for confirming that the listed Entrust and VeriSign legacy roots may be disabled.

Patrick, Thank you for pointing out that Go Daddy does not own the ValiCert Class 1 and ValiCert Class 3 root certificates.

All, here is what I’ve found on those two roots…

It appears that the “ValiCert Class 1 Policy Validation Authority” root is owned by SECOM Trust.
The recent audit for SECOM Trust was completed June 8, 2009,
https://cert.webtrust.org/SealFile?seal=975&file=pdf
and specifically covers the “Security Communication RootCA1” and “Security Communication EV RootCA1” roots that are currently included in NSS. 
There is no mention of the “ValiCert Class 1 Policy Validation Authority” root in the audit statement.
Therefore, I request that a representative of SECOM Trust confirm that SECOM Trust does own the “ValiCert Class 1 Policy Validation Authority” root, and that this root can be disabled.


It appears that the “ValiCert Class 3 Policy Validation Authority” root is owned by RSA. The recent audit for RSA was completed July 15, 2009, 
https://cert.webtrust.org/SealFile?seal=981&file=pdf
and specifically covered the “RSA Security 2048 V3” root certificate that is currently included in NSS.

Therefore, there appears to be two legacy roots that are owned by RSA and still included in NSS. I will need a representative from RSA to confirm that the following two roots may be disabled:

OU = ValiCert Class 3 Policy Validation Authority
CN = http://www.valicert.com/
1999 Jun 25 to 2019 Jun 25
1024, SHA-1

And

OU = RSA Security 1024 V3		
2001 Feb 22 to 2026 Feb 22	
1024, SHA-1
Hello Kathleen-san,

Thank you for the notice.

Yes, SECOM own the "ValiCert Class 1 Policy Validation Authority" root and this root is still in use and included in the most recent audit report completed September 30, 2009.

This audit report covers the "SECOM Trust.net Root1 CA", "Security Communication RootCA1" and "Security Communication EV RootCA1" roots.

The "SECOM Trust.net Root1 CA" is same as the "ValiCert Class 1 Policy Validation Authority", and please include these three roots in NSS.

You can find it at the first section of "Introduction" in our "SECOM Trust.net Root1 CA Certificate Policy & Certification Practice Statement Ver.2.00".
https://repository.secomtrust.net/rootrepository/CPSen.pdf

Thank you for your concern.
Kathleen-san,

The URL for the audit report is below.
https://cert.webtrust.org/SealFile?seal=975&file=pdf

Thank you.
Kamo-san,

Thank you for the information about the "ValiCert Class 1 Policy Validation Authority" root. I see that in the CPS it is made clear that this is the same root as the "SECOM Trust.net Root1 CA" root that is refferred to in the audit report.

I have updated my records to indicate that the audit for this root is current, and that the root should not be disabled at this time.
Kathleen,

Forgive my delay due to holidays.  On behalf of the specific root owning and operating units OmniRoot LLC and Cybertrust Belgium NV and their parents Verizon Business Global Services LLC and Verizon Communications, I confirm that the identified roots may be disabled.

Steve Medin
Thank you, Steve, for confirming that these roots may be disabled: GTE CyberTrust Root, beTRUSTed Root CA, beTRUSTed Root CA-Baltimore Implementation, beTRUSTed Root CA - Entrust Implementation, beTRUSTed Root CA - RSA Implementation.

I am corresponding with RSA via email in regards to the "RSA Security 1024 V3" and the "ValiCert Class 3 Policy Validation Authority" roots. Once I have these two roots clarified, I will write a summary of the removal/disablement actions that I am proposing, post it in the discussions group for a week. Then follow up with the NSS bug(s) to make the actual changes.
I am adding one more root certificate to the list of expired roots to be removed from NSS:

IPS Seguridad CA
Certificaciones	
IPS SERVIDORES	
2009.07.08 to 2009.12.31	
1024, MD5

Since this root was only used for issuing SSL certificates, and it is expired, it may be removed from NSS.
I have received email from VeriSign stating that the following 3 roots may also be removed now:

Thawte Consulting
Certification Services Division
Thawte Personal Basic CA
1995 Dec 31 to 2020 Dec 31
1024, MD5

Thawte Consulting
Certification Services Division
Thawte Personal Premium CA
1995 Dec 31 to 2020 Dec 31
1024, MD5

RSA Data Security, Inc.	
Secure Server Certification Authority		
Verisign/RSA Secure Server CA	
1994 Nov 08 to 2010 Jan 07
1000, MD2
I have created bug #549701 to track the legacy RSA roots, so that I can move forward with the rest of the roots listed in this bug.
I am now opening the public discussion period for this request to remove or disable several legacy root certificate authorities in NSS.

The discussion will be in the mozilla.dev.security.policy newsgroup and the corresponding dev-security-policy@lists.mozilla.org mailing list.

http://www.mozilla.org/community/developer-forums.html
https://lists.mozilla.org/listinfo/dev-security-policy
news://news.mozilla.org/mozilla.dev.security.policy

The discussion thread is called “Remove/Disable several legacy roots”


Here is a summary of the recommendation.

-- Roots to Remove --

CN = ABA.ECOM Root CA
1999 Jul 12 to 2009 Jul 09 
2048, SHA-1

CN = DST RootCA X1
1998 Dec 01 to 2008 Nov 28 
2048, SHA-1

CN = DST RootCA X2
1998 Nov 30 to 2008 Nov 27 
2048, SHA-1

CN = IPS SERVIDORES     
2009.07.08 to 2009.12.31     
1024, MD5

O = StartCom Ltd.
CN = Free SSL Certification Authority
2005 Mar 17 to 2035 Mar 10
1024, MD5

OU = Visa International Service Association
CN = GP Root 2
2000 Aug 16 to 2020 Aug 15
2048, SHA-1

Thawte Consulting 
Certification Services Division 
Thawte Personal Basic CA 
1995 Dec 31 to 2020 Dec 31 
1024, MD5  

Thawte Consulting 
Certification Services Division 
Thawte Personal Premium CA 
1995 Dec 31 to 2020 Dec 31 
1024, MD5  

RSA Data Security, Inc.     
Secure Server Certification Authority         
Verisign/RSA Secure Server CA     
1994 Nov 08 to 2010 Jan 07 
1000, MD2

-- Roots to Disable (turn off all three trust bits) --

CN = GTE CyberTrust Root
1996 Feb 23 to 2006 Feb 23  (expired)

CN = beTRUSTed Root CA
2000 Jun 20 to 2010 Jun 20
2048, SHA-1

CN = beTRUSTed Root CA-Baltimore Implementation
2002 Apr 11 to 2022 Apr 11
2048, SHA-1

CN = beTRUSTed Root CA - Entrust Implementation
2002 Apr 11 to 2022 Apr 11
2048, SHA-1

CN = beTRUSTed Root CA - RSA Implementation
2002 Apr 11 to 2022 Apr 12
2048, SHA-1

CN = Entrust.net Client Certification Authority
1999 Oct 12 to 2019 Oct 12
1024, MD5

CN = Entrust.net Secure Server Certification Authority
2000 Feb 04 to 2020 Feb 04
1024, MD5

CN = Entrust.net Client Certification Authority
2000 Feb 07 to 2020 Feb 07
1024, MD5

CN = UTN-USERFirst-Network Applications
1999 Jul 09 to 2019 Jul 09
2048, SHA-1
Whiteboard: In public discussion
Duplicate of this bug: 453887
As per bug #413379, adding one more certificate to remove:
CN = VeriSign Time Stamping Authority CA
SHA1 Fingerprint: A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36
The public comment period for this request is now over. 

This request has been evaluated as per
https://wiki.mozilla.org/CA:Root_Change_Process

Based on the responses from the CAs who own these roots, and the public discussion, I intend to approve this request to remove or disable the root certificate authorities listed below.

-- Roots to Remove --

CN = ABA.ECOM Root CA
SHA1 Fingerprint: 7A:74:41:0F:B0:CD:5C:97:2A:36:4B:71:BF:03:1D:88:A6:51:0E:9E

CN = DST RootCA X1
SHA1 Fingerprint: B7:2F:FF:92:D2:CE:43:DE:0A:8D:4C:54:8C:50:37:26:A8:1E:2B:93

CN = DST RootCA X2
SHA1 Fingerprint: 67:EB:33:7B:68:4C:EB:0E:C2:B0:76:0A:B4:88:27:8C:DD:95:97:DD

CN = IPS SERVIDORES     
SHA1 Fingerprint: 24:BA:6D:6C:8A:5B:58:37:A4:8D:B5:FA:E9:19:EA:67:5C:94:D2:17

O = StartCom Ltd.
CN = Free SSL Certification Authority
SHA1 Fingerprint: 95:E6:AD:F8:D7:71:46:02:4D:D5:6A:21:B2:E7:3F:CD:F2:3B:35:FF

OU = Visa International Service Association
CN = GP Root 2
SHA1 Fingerprint: C9:0D:1B:EA:88:3D:A7:D1:17:BE:3B:79:F4:21:0E:1A:58:94:A7:2D

O = Thawte Consulting 
CN = Thawte Personal Basic CA 
SHA1 Fingerprint: 40:E7:8C:1D:52:3D:1C:D9:95:4F:AC:1A:1A:B3:BD:3C:BA:A1:5B:FC

O = Thawte Consulting 
CN = Thawte Personal Premium CA 
SHA1 Fingerprint: 36:86:35:63:FD:51:28:C7:BE:A6:F0:05:CF:E9:B4:36:68:08:6C:CE

O = RSA Data Security, Inc.     
Cert Name: Verisign/RSA Secure Server CA     
4 SHA1 Fingerprint: 4:63:C5:31:D7:CC:C1:00:67:94:61:2B:B6:56:D3:BF:82:57:84:6F

CN = VeriSign Time Stamping Authority CA 
SHA1 Fingerprint: A6:0F:34:C8:62:6C:81:F6:8B:F7:7D:A9:F6:67:58:8A:90:3F:7D:36

-- Roots to Disable (turn off all three trust bits) --

CN = GTE CyberTrust Root
SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:BC:65:A6:89:64

CN = beTRUSTed Root CA
SHA1 Fingerprint: 5B:CD:CD:CC:66:F6:DC:E4:44:1F:E3:7D:5C:C3:13:4C:46:F4:70:38

CN = beTRUSTed Root CA-Baltimore Implementation
SHA1 Fingerprint: DC:BB:9E:B7:19:4B:C4:72:05:C1:11:75:29:86:83:5B:53:CA:E4:F8

CN = beTRUSTed Root CA - Entrust Implementation
SHA1 Fingerprint: 72:99:79:13:EC:9B:0D:AE:65:D1:B6:D7:B2:4A:76:A3:AE:C2:EE:16

CN = beTRUSTed Root CA - RSA Implementation
SHA1 Fingerprint: 1D:82:59:CA:21:27:C3:CB:C1:6C:D9:32:F6:2C:65:29:8C:A8:87:12

CN = Entrust.net Client Certification Authority
SHA1 Fingerprint: DA:79:C1:71:11:50:C2:34:39:AA:2B:0B:0C:62:FD:55:B2:F9:F5:80

CN = Entrust.net Client Certification Authority
SHA1 Fingerprint: CF:74:BF:FF:9B:86:81:5B:08:33:54:40:36:3E:87:B6:B6:F0:BF:73

CN = Entrust.net Secure Server Certification Authority
SHA1 Fingerprint: 89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93

CN = UTN-USERFirst-Network Applications
SHA1 Fingerprint: 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1

--
As per the summary in Comment #17, and on behalf of the Mozilla project I
approve this request to remove or disable the legacy root certificates in the list above.

I will file the NSS bugs to effect the approved changes.
Whiteboard: In public discussion → Approved - awaiting NSS
Depends on: 554330
Depends on: 554334
I have filed bugs #554330 and #554334 against NSS for the actual changes.
Blocks: 413379
This is FIXED now, right?
The changes have been checked into NSS, but I don't know when that version of NSS will be included in a release of Firefox.

I prefer not to close this bug until I have verified that the changes are included in Firefox.
Whiteboard: Approved - awaiting NSS → Waiting for Firefox to take fixed NSS
In Firefox 3.6.7.
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: Waiting for Firefox to take fixed NSS
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.