As a security precaution, we have turned on the setting "Require API key authentication for API requests" for everyone. If this has broken something, please contact bugzilla-admin@mozilla.org
Last Comment Bug 614852 - Enable multiple roots from NSS 3.12.9 for EV. (Nov/Dec 2010 batch)
: Enable multiple roots from NSS 3.12.9 for EV. (Nov/Dec 2010 batch)
Status: VERIFIED FIXED
:
Product: Core
Classification: Components
Component: Security: PSM (show other bugs)
: Trunk
: All All
: -- normal (vote)
: ---
Assigned To: Kai Engert (:kaie)
:
: David Keeler [:keeler] (use needinfo?)
Mentors:
Depends on: 599324 613394
Blocks: 562399 593067
  Show dependency treegraph
 
Reported: 2010-11-25 12:11 PST by Kai Engert (:kaie)
Modified: 2011-03-04 10:14 PST (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
.17-fixed
.19-fixed


Attachments
Patch v1 (4.06 KB, patch)
2010-11-25 13:06 PST, Kai Engert (:kaie)
no flags Details | Diff | Splinter Review
Patch v2 (2.26 KB, patch)
2010-12-01 08:25 PST, Kai Engert (:kaie)
honzab.moz: review+
bugzilla: approval2.0+
dveditz: approval1.9.2.17+
dveditz: approval1.9.1.19+
Details | Diff | Splinter Review

Description User image Kai Engert (:kaie) 2010-11-25 12:11:06 PST
Enable multiple roots for EV. (Nov/Dec 2010 batch, most depend on NSS 3.12.9)
Comment 1 User image Kai Engert (:kaie) 2010-11-25 13:06:41 PST
Created attachment 493296 [details] [diff] [review]
Patch v1

I used this patch for initial testing.
Only 1 out of multiple test sites gives me EV.
Comment 2 User image Kai Engert (:kaie) 2010-12-01 08:19:51 PST
We have positive test results for TC Trustcenter, they will be included.


We were unable to confirm that Izenpe.com's OCSP infrastructure is set up correctly, I'm removing them from this batch.


Regarding Camerfirma:
Based on incomplete test server infrastructure, it has been decided, only a subset of the request will be implemented. I'm removing 2 OIDs. I'm keeping the 2 OIDs which gave positive test results.
Comment 3 User image Kai Engert (:kaie) 2010-12-01 08:25:46 PST
Created attachment 494393 [details] [diff] [review]
Patch v2
Comment 4 User image Honza Bambas (:mayhemer) 2010-12-01 14:19:18 PST
Comment on attachment 494393 [details] [diff] [review]
Patch v2

r=honzab

OIDs checked via the pending certificate list page.

Only concern I have - Camerfirma seems to use different OID for EV and OV certs, shouldn't we duplicate both entries also for the secondary OIDs (1.3.6.1.4.1.17326.10.14.2.2.2 and 1.3.6.1.4.1.17326.10.8.12.2.2) ?
Comment 5 User image Kai Engert (:kaie) 2010-12-06 09:33:11 PST
> r=honzab

Thanks


> Only concern I have - Camerfirma seems to use different OID for EV and OV
> certs, shouldn't we duplicate both entries also for the secondary OIDs
> (1.3.6.1.4.1.17326.10.14.2.2.2 and 1.3.6.1.4.1.17326.10.8.12.2.2) ?


No. Camerfirma agreed to omit these OIDs,
because they could not provide us with test URLS for these OIDs.

See bug 562399 comment 19 and 20.
Comment 6 User image Kai Engert (:kaie) 2010-12-10 03:25:48 PST
Comment on attachment 494393 [details] [diff] [review]
Patch v2

Now that NSS 3.12.9 (beta) has been landed, and the new roots are available, we're ready to get these enabled for EV.
Comment 7 User image Kai Engert (:kaie) 2011-02-17 05:54:57 PST
http://hg.mozilla.org/mozilla-central/rev/79eacfd734ea
Comment 8 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-02-18 15:27:13 PST
Is there a way I can test this to mark this bug VERIFIED?
Comment 9 User image Kai Engert (:kaie) 2011-02-21 02:58:20 PST
You should get green EV identity status at
https://testserver.universal-iii.trustcenter.de/
https://www.camerfirma.com/
https://server3.camerfirma.com/
Comment 10 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2011-02-21 10:23:13 PST
(In reply to comment #9)
> You should get green EV identity status at
> https://testserver.universal-iii.trustcenter.de/
> https://www.camerfirma.com/
> https://server3.camerfirma.com/

Thanks.  Verified FIXED with Firefox 4.0b12pre 20110221.
Comment 11 User image Daniel Veditz [:dveditz] 2011-02-23 10:43:55 PST
Comment on attachment 494393 [details] [diff] [review]
Patch v2

Approved for 1.9.2.15 and 1.9.1.18, a=dveditz for release-drivers
Comment 14 User image Daniel Veditz [:dveditz] 2011-03-04 10:14:43 PST
The "3.6.15" we're releasing today does not fix this bug, the release containing this bug fix has been renamed to "3.6.16" and the bugzilla flags will be updated to reflect that soon. Today's release is a re-release of 3.6.14 plus a fix for a bug that prevented many Java applets from starting up.

Note You need to log in before you can comment on or make changes to this bug.