Closed Bug 595013 Opened 15 years ago Closed 15 years ago

Enable Code Signing Trust Bit for DigiCert's three Roots in NSS

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: KaiE)

References

Details

Attachments

(1 file)

Patch v1
7.99 KB, patch
nelson
: review+
Details | Diff | Splinter Review
This bug requests that the code signing trust bit be enabled by default in the NSS root certificate store for the following three certificates, owned by DigiCert. Friendly name: DigiCert Assured ID Root CA SHA1 Fingerprint: 05:63:B8:63:0D:62:D7:5A:BB:C8:AB:1E:4B:DF:B5:A8:99:B2:4D:43 Trust flags: Websites, Email, Code Signing Test URL: https://catest.digicert-assured-id-ca-1.digicert.com/ Friendly name: DigiCert Global Root CA SHA1 Fingerprint: A8:98:5D:3A:65:E5:E5:C4:B2:D7:D6:6D:40:C6:DD:2F:B1:9C:54:36 Trust flags: Websites, Email, Code Signing Test URL: https://catest.digicert-global-ca-1.digicert.com/ Friendly name: DigiCert High Assurance EV Root CA SHA1 Fingerprint: 5F:B7:EE:06:33:E2:59:DB:AD:OC:4C:9A:E6:D3:8F:1A:61:C7:DC:25 Trust flags: Websites, Email, Code Signing Test URL: https://catest.digicert-high-assurance-ev-ca-1.digicert.com/ This CA has been assessed in accordance with the Mozilla project guidelines, and the change has been approved in bug #515425. The next steps are as follows: 1) A representative of the CA must confirm that all the data in this bug is correct. They must also specify what OS they would like to use to perform the verification below. 2) A Mozilla representative creates a test build of NSS with the changes, and attaches nssckbi.dll to this bug. A representative of the CA must download this, drop it into a copy of Firefox and/or Thunderbird on the OS in question and confirm (by adding a comment here) that the certificates have been correctly updated. 3) The Mozilla representative checks the changes into the NSS store, and marks the bug RESOLVED FIXED. 4) At some time after that, various Mozilla products will move to using a version of NSS which contains the changes. This process is mostly under the control of the release drivers for those products.
Jeremy, Please see step #1 above.
Jeremy, Thanks for confirming that the data in this bug is correct, and for providing the updated test URLs. Root inclusions/updates are usually grouped and done as a batch when there is either a large enough set of changes or about every 3 months. At some point in the next 3 months a test build will be provided and this bug will be updated to request that you test it. Since you are cc'd on this bug, you will get notification via email when that happens.
Attached patch Patch v1Splinter Review
Attachment #491721 - Flags: review?(nelson)
Assignee: nobody → kaie
Depends on: 613394
Current test builds (Mozilla experimental) for various platforms can be found at http://stage.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-b725b0fd279e/ Please note the builds at above location will be automatically deleted after two weeks, so please make copies if you need them. Please test and confirm that your roots have been added correctly, with the correct trust flags (use certificate manager, find your cert, click "view" to see the trust flags). (Please note, if you have asked for enabling EV, that's not yet done, and will be a separate step.)
Comment on attachment 491721 [details] [diff] [review] Patch v1 r=nelson I have confirmed that this patch changes just the code signing trust bit on 3 certs, and that those 3 certs have the SHA1 fingerprints given in this bug.
Attachment #491721 - Flags: review?(nelson) → review+
trunk checkin Checking in certdata.c; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 1.71; previous revision: 1.70 done Checking in certdata.txt; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.txt new revision: 1.68; previous revision: 1.67 done
3.12 branch checkin: Checking in certdata.c; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c new revision: 1.67.2.4; previous revision: 1.67.2.3 done Checking in certdata.txt; /cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.txt new revision: 1.64.2.4; previous revision: 1.64.2.3 done
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: