Closed Bug 601083 Opened 12 years ago Closed 12 years ago

thawte Primary Root CA


(Firefox :: Security, defect)

Not set





(Reporter: shmakoff, Unassigned)



(4 files)

User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Build Identifier: 3.6.10

Add "thawte Primary Root CA" certificate and mark it allows checking XPI.

Reproducible: Always

Steps to Reproduce:
1. create XPI signed thawte Primary Root CA/Thawte Code Signing CA - G2/own certificate.
2. install this xpi to Mozilla

Actual Results:  
XPI signed by 

thawte Primary Root CA
+ Thawte Code Signing CA - G2

does not have rights for XPI (error -260)
Attached file thawte Primary Root CA
Here thawte Primary Root CA extracted
thawte Primary Root CA (and G2 and G3 too) is included in a base Firefox install. There's no reason to include it again (and since you're not working for thawte, it wouldn't be accepted anyway).

I think you're problem is the same as bug 591870, which is duplicated to bug 321156
Yes, you are right: FF 3.6.10 has this certificate, but:

thawte Primary Root CA (does not have rights for XPI by default - checkbox is empty) - see an picture (thawte). And I have error -260 when XPI install.

I have contact to Thawte and they send me to Firefox support, because thawte Primary Root CA is uses for application signification and XPI too....

But I have received 

 but thawte Primary Root CA (does not have rights for XPI - checkbox is empty)

But I have received
Here my code signing cerificate that obtained for Thawte
Image shows that thawte Primary Root CA does not has rights for identify software markers, but thawte send me a cerificate for code signing (for identify software markers). 

It's logical collision: "thawte Primary Root CA" (certificate root) published for identify software markers, but builtin object "thawte Primary Root CA" does not has rights (by default) for identify software markers.
Please comment this collision, how it should solved:

- Thawte should regenerate certificate from root 
"thawte Primary Root CA G2" or "thawte Primary Root CA G3"
- Firefix builin object "thawte Primary Root CA" shuld obtain rights for 
"identify software markers"
Current state of thawte's certificates can be seen here : <>. Note that "thawte Primary Root CA" is NOT mentioned as suitable for code signing, only the G2 and G3 certificates.

Bug 407163 seems to be the one that added the "thawte Primary Root CA" - comment 28 mentions that the code signing bit is NOT supposed to be on. Comment 0 originally asked for a potential future inclusion though. Comment 30 mentions that it might be asked later, but I don't find any mentioning that this has happened. Bug 409237 and bug 484903 are about the G2 and G3 certificates.

Anyway, these kinds of changes will only be done on request from a representative from thawte.

Kathleen: do you know more about this ?
A representative of the CA has created bug #601950 to request that the code signing trust bit be enabled for the "thawte Primary Root CA" certificate.
Closed: 12 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 601950
The problem has been fixed by chaning certificate.

1) I save my own certificate without parrent certificate tree.
2) Thawte send me updated "Thawte Code Signing CA - G2 - Thawte Consulting cc”, certificate that change root certificate from "thawte Primary Root CA" to "Thawte Primary Server CA", that I add to *.db before signing XPI.

Now FF install XPI till "thawte Primary Root CA" will allows to install XPI with out any manipulation (bug 601950).


 They has been sent me Code
You need to log in before you can comment on or make changes to this bug.