Status

()

Firefox
Security
--
critical
RESOLVED DUPLICATE of bug 601950
7 years ago
7 years ago

People

(Reporter: Ivan A. Shmakov, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(4 attachments)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Build Identifier: 3.6.10

Add "thawte Primary Root CA" certificate and mark it allows checking XPI.


Reproducible: Always

Steps to Reproduce:
1. create XPI signed thawte Primary Root CA/Thawte Code Signing CA - G2/own certificate.
2. install this xpi to Mozilla

Actual Results:  
XPI signed by 

thawte Primary Root CA
+ Thawte Code Signing CA - G2
++ SPIRIT

does not have rights for XPI (error -260)
(Reporter)

Comment 1

7 years ago
Created attachment 480061 [details]
thawte Primary Root CA

Here thawte Primary Root CA extracted

Comment 2

7 years ago
thawte Primary Root CA (and G2 and G3 too) is included in a base Firefox install. There's no reason to include it again (and since you're not working for thawte, it wouldn't be accepted anyway).

I think you're problem is the same as bug 591870, which is duplicated to bug 321156
(Reporter)

Comment 3

7 years ago
Created attachment 480093 [details]
Screenshort of FF trust rights for thawte Primary Root CA

Yes, you are right: FF 3.6.10 has this certificate, but:

thawte Primary Root CA (does not have rights for XPI by default - checkbox is empty) - see an picture (thawte). And I have error -260 when XPI install.

I have contact to Thawte and they send me to Firefox support, because thawte Primary Root CA is uses for application signification and XPI too....



But I have received 


 but thawte Primary Root CA (does not have rights for XPI - checkbox is empty)



But I have received
(Reporter)

Comment 4

7 years ago
Created attachment 480597 [details]
My code-signing certificate

Here my code signing cerificate that obtained for Thawte
(Reporter)

Comment 5

7 years ago
Created attachment 480599 [details]
Image shows that thawte Primary Root CA does not has rights for identify software markers

Image shows that thawte Primary Root CA does not has rights for identify software markers, but thawte send me a cerificate for code signing (for identify software markers). 

It's logical collision: "thawte Primary Root CA" (certificate root) published for identify software markers, but builtin object "thawte Primary Root CA" does not has rights (by default) for identify software markers.
(Reporter)

Comment 6

7 years ago
Please comment this collision, how it should solved:

- Thawte should regenerate certificate from root 
"thawte Primary Root CA G2" or "thawte Primary Root CA G3"
or 
- Firefix builin object "thawte Primary Root CA" shuld obtain rights for 
"identify software markers"

Comment 7

7 years ago
Current state of thawte's certificates can be seen here : <http://www.mozilla.org/projects/security/certs/pending/#thawte>. Note that "thawte Primary Root CA" is NOT mentioned as suitable for code signing, only the G2 and G3 certificates.

Bug 407163 seems to be the one that added the "thawte Primary Root CA" - comment 28 mentions that the code signing bit is NOT supposed to be on. Comment 0 originally asked for a potential future inclusion though. Comment 30 mentions that it might be asked later, but I don't find any mentioning that this has happened. Bug 409237 and bug 484903 are about the G2 and G3 certificates.

Anyway, these kinds of changes will only be done on request from a representative from thawte.

Kathleen: do you know more about this ?
(Reporter)

Comment 8

7 years ago
Add jschiavo@verisign.com

Comment 9

7 years ago
A representative of the CA has created bug #601950 to request that the code signing trust bit be enabled for the "thawte Primary Root CA" certificate.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 601950
(Reporter)

Comment 10

7 years ago
The problem has been fixed by chaning certificate.

1) I save my own certificate without parrent certificate tree.
2) Thawte send me updated "Thawte Code Signing CA - G2 - Thawte Consulting cc”, certificate that change root certificate from "thawte Primary Root CA" to "Thawte Primary Server CA", that I add to *.db before signing XPI.

Now FF install XPI till "thawte Primary Root CA" will allows to install XPI with out any manipulation (bug 601950).

Thanks.




 They has been sent me Code
(Reporter)

Comment 11

7 years ago
https://search.thawte.com/support/ssl-digital-certificates/index?page=content&id=SO16126
You need to log in before you can comment on or make changes to this bug.