554334 - Disable Legacy Roots in NSS

Status: RESOLVED FIXED

(NSS :: CA Certificates Code, task)

Description

[Kathleen Wilson]

This bug requests that the following root certificates be disabled (all three trust bits turned off) in the NSS root certificate store.

This request has been assessed in accordance with the Mozilla project
guidelines, and the disablement of the certificates has been approved in bug
#534274.

Please disable the following root certificates in NSS by turning off all three trust bits:

CN = GTE CyberTrust Root
SHA1 Fingerprint: 90:DE:DE:9E:4C:4E:9F:6F:D8:86:17:57:9D:D3:91:BC:65:A6:89:64

CN = beTRUSTed Root CA
SHA1 Fingerprint: 5B:CD:CD:CC:66:F6:DC:E4:44:1F:E3:7D:5C:C3:13:4C:46:F4:70:38

CN = beTRUSTed Root CA-Baltimore Implementation
SHA1 Fingerprint: DC:BB:9E:B7:19:4B:C4:72:05:C1:11:75:29:86:83:5B:53:CA:E4:F8

CN = beTRUSTed Root CA - Entrust Implementation
SHA1 Fingerprint: 72:99:79:13:EC:9B:0D:AE:65:D1:B6:D7:B2:4A:76:A3:AE:C2:EE:16

CN = beTRUSTed Root CA - RSA Implementation
SHA1 Fingerprint: 1D:82:59:CA:21:27:C3:CB:C1:6C:D9:32:F6:2C:65:29:8C:A8:87:12

CN = Entrust.net Client Certification Authority
SHA1 Fingerprint: DA:79:C1:71:11:50:C2:34:39:AA:2B:0B:0C:62:FD:55:B2:F9:F5:80

CN = Entrust.net Client Certification Authority
SHA1 Fingerprint: CF:74:BF:FF:9B:86:81:5B:08:33:54:40:36:3E:87:B6:B6:F0:BF:73

CN = Entrust.net Secure Server Certification Authority
SHA1 Fingerprint: 89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93

CN = UTN-USERFirst-Network Applications
SHA1 Fingerprint: 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1

Comment 1

[Kai Engert (:KaiE:)]

Attachment: Patch v1

Comment 2

[Kai Engert (:KaiE:)]

The names shown in this bug (CN) are different from the names shown in the NSS source code (nicknames).

Therefore I used the following procedure to identify the certificates to remove:
- open cert manager
- search for the cert with the name shown in this bug
- view the cert
- compare the fingerprint to ensure I've found the right cert
- click details
- in the large text area, the initial line lists "builtin object token:"
  followed by the nickname
- I search NSS sourcecode for this nickname and made the requested change

I hope I changed/removed the correct certs.
I'll produce a test build where you could verify.

Comment 3

[Kai Engert (:KaiE:)]

A test build for verification on your prefered platform can be found here:
https://build.mozilla.org/tryserver-builds/kaie@kuix.de-kaie-roots1003/

I'd appreciate if you could have a look to see whether I've removed/disabled the correct roots.

Comment 4

[Kathleen Wilson]

I have installed the test build and verified that the trust bits have been turned off for the root certs listed above.

Kai, I apologize for not thinking of this earlier -- I just noticed it while doing the testing, so I have to ask...

Would it be reasonable to do the changes for bug 530853 as part of this patch?

Comment 5

[Nelson Bolyard (seldom reads bugmail)]

Comment on attachment 434574 [details] [diff] [review]
Patch v1

I confirm that this patch removes all 3 trust bits from 9 certs.  I didn't check that they're the right ones, but Kathleen has already confirmed that.

Comment 6

[Kai Engert (:KaiE:)]

/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.61; previous revision: 1.60

Comment 7

[Kai Engert (:KaiE:)]

previously mentioned commit was empty...
correct one is:

Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.63; previous revision: 1.62
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.60; previous revision: 1.59
done