Closed
Bug 578491
Opened 14 years ago
Closed 14 years ago
Add Izenpe.com root certificate to NSS
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kathleen.a.wilson, Assigned: KaiE)
References
Details
Attachments
(1 file)
|
2.11 KB,
application/octet-stream
|
Details |
This bug requests inclusion in the NSS root certificate store of the following certificate, owned by Izenpe. Friendly name: Izenpe.com Certificate location: https://bugzilla.mozilla.org/attachment.cgi?id=385230 SHA1 Fingerprint: 2F:78:3D:25:52:18:A7:4A:65:39:71:B5:2C:A2:9C:45:15:6F:E9:19 Trust flags: Websites, Code Signing Test URL: https://www.it-txartela.net This CA has been assessed in accordance with the Mozilla project guidelines, and the certificate approved for inclusion in bug #361957. The next steps are as follows: 1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate(s) have been attached. They must also specify what OS they would like to use to perform the verification below. 2) A Mozilla representative creates a test build of NSS with the new certificate(s), and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificate(s) have been correctly imported and that websites work correctly. 3) The Mozilla representative checks the certificate(s) into the NSS store, and marks the bug RESOLVED FIXED. 4) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.
|
Reporter | |
Comment 1•14 years ago
|
||
Iñigo, Please see step #1 above.
|
||
Comment 2•14 years ago
|
||
It´s correct. To perform the validation We´d like to test with windows xp, vista, 7, mac os 10.6, ubuntu 10.0.4 and fedora 13. If we can only choose one, then vista. Thanks
|
|
Reporter | |
Comment 3•14 years ago
|
||
Thanks for confirming that the data in this bug is correct. Root inclusions are usually grouped and done as a batch when there is either a large enough set of changes or about every 3 months. At some point in the next 3 months a test build will be provided and this bug will be updated to request that you test it. Since you are cc'd on this bug, you will get notification via email when that happens.
|
Assignee | |
Comment 4•14 years ago
|
||
Current test builds (Mozilla experimental) for various platforms can be found at http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-92eacf382419/ Please note the builds at above location will be automatically deleted after two weeks, so please make copies if you need them. Please test and confirm that your roots have been added correctly, with the correct trust flags (use certificate manager, find your cert, click "view" to see the trust flags). Please note, THIS bug is ONLY for including the root. Any comments regarding "EV" should go into the separate EV bug.
|
|
Assignee | |
Comment 5•14 years ago
|
||
Kathleen, given that we see problems with the operation of the CA's OCSP infrastructure, I would like to ask: Should we (a) proceed adding the root now? or (b) delay adding the root until the OCSP infrastructure is working correctly? Thanks in advance for your advice / decision.
|
||
Comment 6•14 years ago
|
||
We dare not add the root while the OCSP infrastructure is not working.
|
|
Reporter | |
Comment 7•14 years ago
|
||
Kai, Please postpone this request, and don't included it in the current batch. Iñigo, please post an update in this bug when Izenpe has completed the following action items for certificates chaining to this root. 1) Update the OCSP responder to port 80. 2) Begin transition to new intermediate CAs which have the new AIA OCSP URI.
|
|
Reporter | |
Comment 8•14 years ago
|
||
As stated in bug #361957 (Comment 126), Izenpe has made the following changes: - OCSP port has changed to 80 - VA is signed by the EV issuing CA - Also adapted the profiles with the recent changes approved in the CABF. The new test websites are EV (OID 1.3.6.1.4.1.14777.6.1.1) https://servicios.izenpe.com Sede EV (OID 1.3.6.1.4.1.14777.6.1.2) https://servicios1.izenpe.com I have checked both of these test websites, and confirm that they both load into my Firefox browser without error, with OCSP enforced. Additionally, I confirm that the SSL cert for both of these websites chain up to this root and have OCSP: URI: http://ocsp.izenpe.com in the AIA. I also confirm that the new intermediate CA, "CA de Certificados SSL EV", also has OCSP: URI: http://ocsp.izenpe.com in the AIA. It is my opinion that Izenpe has completed the action items stated in Comment #7 of this bug. Kai, please include this root certificate in the next batch of NSS changes for root inclusions/changes.
|
|
Assignee | |
Updated•14 years ago
|
Assignee: nobody → kaie
|
|
Assignee | |
Comment 9•14 years ago
|
||
Current test builds (Mozilla experimental) for various platforms can be found at http://stage.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-b725b0fd279e/ Please note the builds at above location will be automatically deleted after two weeks, so please make copies if you need them. Please test and confirm that your roots have been added correctly, with the correct trust flags (use certificate manager, find your cert, click "view" to see the trust flags). (Please note, if you have asked for enabling EV, that's not yet done, and will be a separate step.)
|
|
Assignee | |
Comment 10•14 years ago
|
||
I made a new testbuild, now it includes the patch to enable roots for EV. http://hg.mozilla.org/try/pushloghtml?changeset=c73f0117a36e http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-c73f0117a36e/ I've learned that tryserver builds are automatically deleted quickly, after 4 days. I've mirrored the most important files here: http://kuix.de/mozilla/tryserver-roots-20101125/
|
|
Assignee | |
Comment 11•14 years ago
|
||
This bug is about adding roots to NSS, not about EV. Any discussion regarding EV should happen in bug 578499, not here. So, here is my request to the CA, Izenpe.com, according with first comment in this bug, section (2): Please download a test build from comment 10. Please confirm that your root certificate(s) are correctly added to the NSS root store. In particular, please make sure that the certificate have the correct trust flags. You can use Firefox preferences / advanced / encryption / certificates / edit-trust to look at the trust flags. Once you have confirmed, we are ready to add your certs to NSS. (There is still a problem regarding EV. But we must discuss remaining EV problems in bug 578499, not here).
|
|
Assignee | |
Comment 12•14 years ago
|
||
Iñigo, please see comment 11.
|
|
||
Comment 13•14 years ago
|
||
Hi Kai, I can confirm that everything is OK. Regards
|
|
Assignee | |
Comment 14•14 years ago
|
||
Fixed by bug 613394
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Comment 15•13 years ago
|
||
(In reply to Nelson Bolyard (seldom reads bugmail) from comment #6) > We dare not add the root while the OCSP infrastructure is not working.
You need to log in
before you can comment on or make changes to this bug.
Description
•