Closed
Bug 601083
Opened 15 years ago
Closed 15 years ago
thawte Primary Root CA
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 601950
People
(Reporter: shmakoff, Unassigned)
Details
Attachments
(4 files)
Screenshort of FF trust rights for thawte Primary Root CA
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)
Build Identifier: 3.6.10
Add "thawte Primary Root CA" certificate and mark it allows checking XPI.
Reproducible: Always
Steps to Reproduce:
1. create XPI signed thawte Primary Root CA/Thawte Code Signing CA - G2/own certificate.
2. install this xpi to Mozilla
Actual Results:
XPI signed by
thawte Primary Root CA
+ Thawte Code Signing CA - G2
++ SPIRIT
does not have rights for XPI (error -260)
|
Reporter | |
Comment 1•15 years ago
|
||
Here thawte Primary Root CA extracted
|
||
Comment 2•15 years ago
|
||
thawte Primary Root CA (and G2 and G3 too) is included in a base Firefox install. There's no reason to include it again (and since you're not working for thawte, it wouldn't be accepted anyway).
I think you're problem is the same as bug 591870, which is duplicated to bug 321156
|
|
Reporter | |
Comment 3•15 years ago
|
||
Yes, you are right: FF 3.6.10 has this certificate, but:
thawte Primary Root CA (does not have rights for XPI by default - checkbox is empty) - see an picture (thawte). And I have error -260 when XPI install.
I have contact to Thawte and they send me to Firefox support, because thawte Primary Root CA is uses for application signification and XPI too....
But I have received
but thawte Primary Root CA (does not have rights for XPI - checkbox is empty)
But I have received
|
|
Reporter | |
Comment 4•15 years ago
|
||
Here my code signing cerificate that obtained for Thawte
|
|
Reporter | |
Comment 5•15 years ago
|
||
Image shows that thawte Primary Root CA does not has rights for identify software markers, but thawte send me a cerificate for code signing (for identify software markers).
It's logical collision: "thawte Primary Root CA" (certificate root) published for identify software markers, but builtin object "thawte Primary Root CA" does not has rights (by default) for identify software markers.
|
|
Reporter | |
Comment 6•15 years ago
|
||
Please comment this collision, how it should solved:
- Thawte should regenerate certificate from root
"thawte Primary Root CA G2" or "thawte Primary Root CA G3"
or
- Firefix builin object "thawte Primary Root CA" shuld obtain rights for
"identify software markers"
|
|
||
Comment 7•15 years ago
|
||
Current state of thawte's certificates can be seen here : <http://www.mozilla.org/projects/security/certs/pending/#thawte>. Note that "thawte Primary Root CA" is NOT mentioned as suitable for code signing, only the G2 and G3 certificates.
Bug 407163 seems to be the one that added the "thawte Primary Root CA" - comment 28 mentions that the code signing bit is NOT supposed to be on. Comment 0 originally asked for a potential future inclusion though. Comment 30 mentions that it might be asked later, but I don't find any mentioning that this has happened. Bug 409237 and bug 484903 are about the G2 and G3 certificates.
Anyway, these kinds of changes will only be done on request from a representative from thawte.
Kathleen: do you know more about this ?
|
|
Reporter | |
Comment 8•15 years ago
|
||
|
||
Comment 9•15 years ago
|
||
A representative of the CA has created bug #601950 to request that the code signing trust bit be enabled for the "thawte Primary Root CA" certificate.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
|
|
Reporter | |
Comment 10•15 years ago
|
||
The problem has been fixed by chaning certificate.
1) I save my own certificate without parrent certificate tree.
2) Thawte send me updated "Thawte Code Signing CA - G2 - Thawte Consulting cc”, certificate that change root certificate from "thawte Primary Root CA" to "Thawte Primary Server CA", that I add to *.db before signing XPI.
Now FF install XPI till "thawte Primary Root CA" will allows to install XPI with out any manipulation (bug 601950).
Thanks.
They has been sent me Code
|
|
Reporter | |
Comment 11•15 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•