Closed
Bug 617664
Opened 14 years ago
Closed 13 years ago
Root Cleanup to remove legacy, expired, and disabled root certs
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)
References
Details
(Whiteboard: Changes included in FF6.0)
I am of the opinion that the following root certificates should be removed from NSS. The purpose of this bug is to follow Mozilla’s Root Change Process to remove these root certs. https://wiki.mozilla.org/CA:Root_Change_Process#Remove_a_Root Reason for removal: Legacy, no longer in use CN = AOL Time Warner Root Certification Authority 1 O = AOL Time Warner Inc. SHA1 Fingerpint: 74:54:53:5C:24:A3:A7:58:20:7E:3E:3E:D3:24:F8:16:FB:21:16:49 (bug #605187) CN = AOL Time Warner Root Certification Authority 2 O = AOL Time Warner Inc. SHA1 Fingerprint: FC:21:9A:76:11:2F:76:C1:C5:08:83:3C:9A:2F:A2:BA:84:AC:08:7A (bug #605187) Reason for removal: No longer needed to be included in NSS, and outdated key algorithm (MD5) CN = Thawte Timestamping CA O = Thawte SHA1 Fingerprint: BE:36:A4:56:2F:B2:EE:05:DB:B3:D3:23:23:AD:F4:45:08:4E:D6:56 CN = Thawte Personal Freemail CA O = Thawte Consulting SHA1 Fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85 Reason for removal: All trust bits already disabled; previously deprecated. CN = Entrust.net Client Certification Authority OU = (c) 1999 Entrust.net Limited O = Entrust.net SHA1 Fingerprint: DA:79:C1:71:11:50:C2:34:39:AA:2B:0B:0C:62:FD:55:B2:F9:F5:80 CN = Entrust.net Client Certification Authority OU = (c) 2000 Entrust.net Limited O = Entrust.net SHA1 Fingerprint: CF:74:BF:FF:9B:86:81:5B:08:33:54:40:36:3E:87:B6:B6:F0:BF:73 CN = Entrust.net Secure Server Certification Authority OU = (c) 2000 Entrust.net Limited O = Entrust.net SHA1 Fingerprint: 89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93 CN = IPS CA Chained CAs Certification Authority O = IPS Internet publishing Services s.l. SHA1 Fingerprint: C8:C2:5F:16:9E:F8:50:74:D5:BE:E8:CD:A2:D4:3C:AE:E7:5F:D2:57 CN = IPS CA CLASE1 Certification Authority O = IPS Internet publishing Services s.l. SHA1 Fingerprint: 43:9E:52:5F:5A:6A:47:C3:2C:EB:C4:5C:63:ED:39:31:7C:E5:F4:DF CN = IPS CA CLASE3 Certification Authority O = IPS Internet publishing Services s.l. SHA1 Fingerprint: 41:78:AB:4C:BF:CE:7B:41:02:AC:DA:C4:93:3E:6F:F5:0D:CF:71:5C CN = IPS CA CLASEA1 Certification Authority O = IPS Internet publishing Services s.l. SHA1 Fingerprint: 33:A3:35:C2:3C:E8:03:4B:04:E1:3D:E5:C4:8E:79:1A:EB:8C:32:04 CN = IPS CA CLASEA3 Certification Authority O = IPS Internet publishing Services s.l. SHA1 Fingerprint: 16:D4:24:FE:96:10:E1:75:19:AF:23:2B:B6:87:74:E2:41:44:BE:6E CN = IPS CA Timestamping Certification Authority O = IPS Internet publishing Services s.l. SHA1 Fingerprint: 96:99:5C:77:11:E8:E5:2D:F9:E3:4B:EC:EC:67:D3:CB:F1:B6:C4:D2 CN = UTN-USERFirst-Network Applications O = The USERTRUST Network SHA1 Fingerprint: 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1 (owned by VeriSign) Reason for removal: Expired or Expiring CA OU = TC TrustCenter Class 2 CA O = TC TrustCenter for Security in Data Networks GmbH SHA1 Fingerprint: 83:8E:30:F7:7F:DD:14:AA:38:5E:D1:45:00:9C:0E:22:36:49:4F:AA Expires: January 1, 2011 OU = TC TrustCenter Class 3 CA O = TC TrustCenter for Security in Data Networks GmbH SHA1 Fingerprint: 9F:C7:96:E8:F8:52:4F:86:3A:E1:49:6D:38:12:42:10:5F:1B:78:F5 Expires: January 1, 2011
Assignee | ||
Updated•14 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 1•14 years ago
|
||
Tony, Bruce, and Rolf, Please review the list in this bug of candidate root certificates to be removed from NSS. Please reply in this bug to indicate if you agree with the removal of these roots or not. Tony: Thawte Timestamping CA, Thawte Personal Freemail CA, UTN-USERFirst-Network Applications Bruce: Entrust.net Client Certification Authority, Entrust.net Client Certification Authority, Entrust.net Secure Server Certification Authority Rolf: TC TrustCenter Class 2 CA, TC TrustCenter Class 3 CA (expiring)
Comment 2•14 years ago
|
||
I have reviewed the about Entrust.net roots and agree that it is OK to remove them from NSS.
Comment 3•14 years ago
|
||
Tony: I agree we can remove the Thawte Timestamping CA, and Thawte Personal Freemail CA. We would want to retain the UTN-USERFirst-Network Applications root in the root store at this stage
Assignee | ||
Comment 4•14 years ago
|
||
Rolf, How about the expiring TC TrustCenter roots? Bruce and Tony, thank you for your prompt response. Tony, I have noted that the UTN-USERFirst-Network root should not be removed at this time.
Comment 5•14 years ago
|
||
Please keep the TC TrustCenter Class 2 CA and TC TrustCenter Class 3 CA in the root store at this stage.
Assignee | ||
Comment 6•14 years ago
|
||
OK. Here's the updated list of root certificates that I am recommending be removed from NSS. I will start a discussion about it in m.d.s.policy now. Reason for removal: Legacy, no longer in use CN = AOL Time Warner Root Certification Authority 1 O = AOL Time Warner Inc. SHA1 Fingerpint: 74:54:53:5C:24:A3:A7:58:20:7E:3E:3E:D3:24:F8:16:FB:21:16:49 (bug #605187) CN = AOL Time Warner Root Certification Authority 2 O = AOL Time Warner Inc. SHA1 Fingerprint: FC:21:9A:76:11:2F:76:C1:C5:08:83:3C:9A:2F:A2:BA:84:AC:08:7A (bug #605187) Reason for removal: No longer needed to be included in NSS, and outdated key algorithm (MD5) CN = Thawte Timestamping CA O = Thawte SHA1 Fingerprint: BE:36:A4:56:2F:B2:EE:05:DB:B3:D3:23:23:AD:F4:45:08:4E:D6:56 CN = Thawte Personal Freemail CA O = Thawte Consulting SHA1 Fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85 Reason for removal: All trust bits already disabled; previously deprecated. CN = Entrust.net Client Certification Authority OU = (c) 1999 Entrust.net Limited O = Entrust.net SHA1 Fingerprint: DA:79:C1:71:11:50:C2:34:39:AA:2B:0B:0C:62:FD:55:B2:F9:F5:80 CN = Entrust.net Client Certification Authority OU = (c) 2000 Entrust.net Limited O = Entrust.net SHA1 Fingerprint: CF:74:BF:FF:9B:86:81:5B:08:33:54:40:36:3E:87:B6:B6:F0:BF:73 CN = Entrust.net Secure Server Certification Authority OU = (c) 2000 Entrust.net Limited O = Entrust.net SHA1 Fingerprint: 89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93 CN = IPS CA Chained CAs Certification Authority O = IPS Internet publishing Services s.l. SHA1 Fingerprint: C8:C2:5F:16:9E:F8:50:74:D5:BE:E8:CD:A2:D4:3C:AE:E7:5F:D2:57 CN = IPS CA CLASE1 Certification Authority O = IPS Internet publishing Services s.l. SHA1 Fingerprint: 43:9E:52:5F:5A:6A:47:C3:2C:EB:C4:5C:63:ED:39:31:7C:E5:F4:DF CN = IPS CA CLASE3 Certification Authority O = IPS Internet publishing Services s.l. SHA1 Fingerprint: 41:78:AB:4C:BF:CE:7B:41:02:AC:DA:C4:93:3E:6F:F5:0D:CF:71:5C CN = IPS CA CLASEA1 Certification Authority O = IPS Internet publishing Services s.l. SHA1 Fingerprint: 33:A3:35:C2:3C:E8:03:4B:04:E1:3D:E5:C4:8E:79:1A:EB:8C:32:04 CN = IPS CA CLASEA3 Certification Authority O = IPS Internet publishing Services s.l. SHA1 Fingerprint: 16:D4:24:FE:96:10:E1:75:19:AF:23:2B:B6:87:74:E2:41:44:BE:6E CN = IPS CA Timestamping Certification Authority O = IPS Internet publishing Services s.l. SHA1 Fingerprint: 96:99:5C:77:11:E8:E5:2D:F9:E3:4B:EC:EC:67:D3:CB:F1:B6:C4:D2
Assignee | ||
Comment 7•14 years ago
|
||
I have closed the discussion in mozilla.dev.security.policy about removing these root certificates. No substantial concerns were raised about removing these roots. The one item of note is that the reason for removing the Thawte roots listed above is that they are no longer needed to be included in NSS. I will file the NSS bug for the actual changes.
Assignee | ||
Comment 8•14 years ago
|
||
I have filed bug #622719 for the actual changes in NSS.
Whiteboard: Approved - awaiting NSS
Assignee | ||
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: Approved - awaiting NSS → Changes included in FF6.0
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•