Check in all root certs, if possible

VERIFIED FIXED in Future

Status

NSS
Libraries
P1
major
VERIFIED FIXED
18 years ago
17 years ago

People

(Reporter: BenB, Assigned: Ian McGreer)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PDT+, needs a=, critical for 0.9.2)

Attachments

(2 attachments)

(Reporter)

Description

18 years ago
Reproduce:
1. Build psm.xpi with |make build_xpi| (see build instructionos)
2. Install the xpi in a fresh (open-source) Mozilla nightly build, fresh profile
3. Visit <https://services.db-privatebanking.de>

Actual result:
A warning dialog pops up, saying that the CA for the certificate is not
recognized. View the certificate to see that it is issued by "Verisign Trust
Network".

Expected result:
Since Verisign and Thawte seem to agree to the distribution of their certs (see
<http://lxr.mozilla.org/mozilla/security/nss/lib/ckfw/builtins/certdata.txt>),
all Verisign and Thawte certs are recognized.

Additional Comments:
Please check in all of them into the Mozilla tree ASAP (i.e. beofre N6
shipment), or tell me how to convert the certs into the certdata.txt format, so
I can fix it myself. This is a blocker for me - shipping PSM without reasonable
root certs is practically impossible.

I do use the builtin root certs - No warning on <https://admin.he.net> (issued
by Thawte.
(Reporter)

Comment 1

18 years ago
eh, wrong summary, correcting.
Summary: Root certs lib not shipped → Check in all root certs, if possible
(Reporter)

Comment 2

18 years ago
I got completely confused - sorry. You need the patch for bug 59162 - otherwise,
*no* cert will be recognized, not even that for he.net.
(Reporter)

Updated

18 years ago
Blocks: 54184
(Reporter)

Comment 3

18 years ago
Ian fixed the first part of it, reassigning to him (reassign to
<relyea%netscape.com>, when (s)he is back).

The site mentioned in the reproduction now works. Thanks Ian.

Checked in are:
- VeriSign/Thawte
- TC Trustcenter
- GlobalSign/BelSign

Leaving open, since there are still lots of certs (all from digsigtrust and many
smaller CAs) missing.
Assignee: lord → mcgreer
Component: Daemon → Libraries
Product: PSM → NSS
Version: 1.4 → 3.1
(Reporter)

Comment 4

18 years ago
Filed bug 59614 about making the tool for creating certdata.txt publically
available.

Updated

18 years ago
QA Contact: nitinp → junruh

Comment 5

18 years ago
Ian, have we checked in all the root certs?  Can this
be done in NSS 3.2 time frame?
Target Milestone: --- → 3.2
(Reporter)

Comment 6

18 years ago
Already in:
- Verisign (thousands of times)
- Thawte
- TC Trustcenter
- GlobalSign/BelSign
- ValiCert

The following ones are missing (we have OK to check in):
- Deutsche Telekom (T-TeleSec)
- Entrust

No response so far from (available in 4.x, not yet checked into Mozilla, I
mailed them, no response, legal status unclear):
- DigSigTrust
- Equifax
- Baltimore

Not contacted (available in 4.x, not yet checked into Mozilla, I didn't mail
them yet, because of missing contact info):
- GTE Cybertrust
- E-Certify
- possibly others

Didn't check Netscape 6, if there are new certs we should distribute, too.
(Reporter)

Updated

18 years ago
Severity: blocker → major
(Assignee)

Comment 7

18 years ago
Have checked in Entrust and Deutsche Telekom.

marking as future, will watch this bug as more approvals come in.

I think Baltimore is under the new contract, so they can be checked in...
Target Milestone: 3.2 → Future
(Reporter)

Updated

17 years ago
Keywords: mozilla1.0
(Reporter)

Updated

17 years ago
No longer blocks: 54184
(Assignee)

Comment 8

17 years ago
Created attachment 38752 [details] [diff] [review]
patch to add remaining roots from 4.x to mozilla
(Assignee)

Comment 9

17 years ago
*** Bug 83847 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 10

17 years ago
Created attachment 39140 [details] [diff] [review]
updated patch includes changes to USPS roots, and has both certdata.c and certdata.txt

Comment 11

17 years ago
r=javi
rs=blizzard

Comment 13

17 years ago
-> P1
Priority: P3 → P1
Whiteboard: PDT+, needs a=
a=blizzard on behalf of drivers for 0.9.2
Whiteboard: PDT+, needs a= → PDT+, needs a=, critical for 0.9.2
(Assignee)

Comment 15

17 years ago
last set of roots checked in 6/20
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED

Comment 16

17 years ago
Verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.