Closed Bug 617664 Opened 11 years ago Closed 10 years ago

Root Cleanup to remove legacy, expired, and disabled root certs

Categories

(NSS :: CA Certificate Root Program, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: kwilson)

References

Details

(Whiteboard: Changes included in FF6.0)

I am of the opinion that the following root certificates should be removed from NSS. 

The purpose of this bug is to follow Mozilla’s Root Change Process to remove these root certs.
https://wiki.mozilla.org/CA:Root_Change_Process#Remove_a_Root


Reason for removal: Legacy, no longer in use

CN = AOL Time Warner Root Certification Authority 1
O = AOL Time Warner Inc.
SHA1 Fingerpint: 74:54:53:5C:24:A3:A7:58:20:7E:3E:3E:D3:24:F8:16:FB:21:16:49
(bug #605187)

CN = AOL Time Warner Root Certification Authority 2
O = AOL Time Warner Inc.
SHA1 Fingerprint: FC:21:9A:76:11:2F:76:C1:C5:08:83:3C:9A:2F:A2:BA:84:AC:08:7A
(bug #605187)


Reason for removal: No longer needed to be included in NSS, and outdated key algorithm (MD5)

CN = Thawte Timestamping CA
O = Thawte
SHA1 Fingerprint: BE:36:A4:56:2F:B2:EE:05:DB:B3:D3:23:23:AD:F4:45:08:4E:D6:56

CN = Thawte Personal Freemail CA
O = Thawte Consulting
SHA1 Fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85


Reason for removal: All trust bits already disabled; previously deprecated.

CN = Entrust.net Client Certification Authority
OU = (c) 1999 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: DA:79:C1:71:11:50:C2:34:39:AA:2B:0B:0C:62:FD:55:B2:F9:F5:80

CN = Entrust.net Client Certification Authority
OU = (c) 2000 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: CF:74:BF:FF:9B:86:81:5B:08:33:54:40:36:3E:87:B6:B6:F0:BF:73

CN = Entrust.net Secure Server Certification Authority
OU = (c) 2000 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: 89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93

CN = IPS CA Chained CAs Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: C8:C2:5F:16:9E:F8:50:74:D5:BE:E8:CD:A2:D4:3C:AE:E7:5F:D2:57

CN = IPS CA CLASE1 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 43:9E:52:5F:5A:6A:47:C3:2C:EB:C4:5C:63:ED:39:31:7C:E5:F4:DF

CN = IPS CA CLASE3 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 41:78:AB:4C:BF:CE:7B:41:02:AC:DA:C4:93:3E:6F:F5:0D:CF:71:5C

CN = IPS CA CLASEA1 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 33:A3:35:C2:3C:E8:03:4B:04:E1:3D:E5:C4:8E:79:1A:EB:8C:32:04

CN = IPS CA CLASEA3 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 16:D4:24:FE:96:10:E1:75:19:AF:23:2B:B6:87:74:E2:41:44:BE:6E

CN = IPS CA Timestamping Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 96:99:5C:77:11:E8:E5:2D:F9:E3:4B:EC:EC:67:D3:CB:F1:B6:C4:D2

CN = UTN-USERFirst-Network Applications
O = The USERTRUST Network
SHA1 Fingerprint: 5D:98:9C:DB:15:96:11:36:51:65:64:1B:56:0F:DB:EA:2A:C2:3E:F1
(owned by VeriSign)


Reason for removal: Expired or Expiring CA

OU = TC TrustCenter Class 2 CA
O = TC TrustCenter for Security in Data Networks GmbH
SHA1 Fingerprint: 83:8E:30:F7:7F:DD:14:AA:38:5E:D1:45:00:9C:0E:22:36:49:4F:AA
Expires: January 1, 2011

OU = TC TrustCenter Class 3 CA
O = TC TrustCenter for Security in Data Networks GmbH
SHA1 Fingerprint: 9F:C7:96:E8:F8:52:4F:86:3A:E1:49:6D:38:12:42:10:5F:1B:78:F5
Expires: January 1, 2011
Status: NEW → ASSIGNED
Tony, Bruce, and Rolf, 

Please review the list in this bug of candidate root certificates to be removed from NSS. Please reply in this bug to indicate if you agree with the removal of these roots or not.

Tony: Thawte Timestamping CA, Thawte Personal Freemail CA, UTN-USERFirst-Network Applications

Bruce: 
Entrust.net Client Certification Authority, Entrust.net Client Certification Authority, Entrust.net Secure Server Certification Authority

Rolf: TC TrustCenter Class 2 CA, TC TrustCenter Class 3 CA (expiring)
I have reviewed the about Entrust.net roots and agree that it is OK to remove them from NSS.
Tony: I agree we can remove the Thawte Timestamping CA, and Thawte Personal Freemail CA. We would want to retain the UTN-USERFirst-Network Applications root in the root store at this stage
Rolf, How about the expiring TC TrustCenter roots?

Bruce and Tony, thank you for your prompt response. 

Tony, I have noted that the UTN-USERFirst-Network root should not be removed at this time.
Please keep the TC TrustCenter Class 2 CA and TC TrustCenter Class 3 CA in the root store at this stage.
OK.

Here's the updated list of root certificates that I am recommending be removed from NSS. I will start a discussion about it in m.d.s.policy now.

Reason for removal: Legacy, no longer in use

CN = AOL Time Warner Root Certification Authority 1
O = AOL Time Warner Inc.
SHA1 Fingerpint: 74:54:53:5C:24:A3:A7:58:20:7E:3E:3E:D3:24:F8:16:FB:21:16:49
(bug #605187)

CN = AOL Time Warner Root Certification Authority 2
O = AOL Time Warner Inc.
SHA1 Fingerprint: FC:21:9A:76:11:2F:76:C1:C5:08:83:3C:9A:2F:A2:BA:84:AC:08:7A
(bug #605187)


Reason for removal: No longer needed to be included in NSS, and outdated key
algorithm (MD5)

CN = Thawte Timestamping CA
O = Thawte
SHA1 Fingerprint: BE:36:A4:56:2F:B2:EE:05:DB:B3:D3:23:23:AD:F4:45:08:4E:D6:56

CN = Thawte Personal Freemail CA
O = Thawte Consulting
SHA1 Fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85


Reason for removal: All trust bits already disabled; previously deprecated.

CN = Entrust.net Client Certification Authority
OU = (c) 1999 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: DA:79:C1:71:11:50:C2:34:39:AA:2B:0B:0C:62:FD:55:B2:F9:F5:80

CN = Entrust.net Client Certification Authority
OU = (c) 2000 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: CF:74:BF:FF:9B:86:81:5B:08:33:54:40:36:3E:87:B6:B6:F0:BF:73

CN = Entrust.net Secure Server Certification Authority
OU = (c) 2000 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: 89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93

CN = IPS CA Chained CAs Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: C8:C2:5F:16:9E:F8:50:74:D5:BE:E8:CD:A2:D4:3C:AE:E7:5F:D2:57

CN = IPS CA CLASE1 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 43:9E:52:5F:5A:6A:47:C3:2C:EB:C4:5C:63:ED:39:31:7C:E5:F4:DF

CN = IPS CA CLASE3 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 41:78:AB:4C:BF:CE:7B:41:02:AC:DA:C4:93:3E:6F:F5:0D:CF:71:5C

CN = IPS CA CLASEA1 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 33:A3:35:C2:3C:E8:03:4B:04:E1:3D:E5:C4:8E:79:1A:EB:8C:32:04

CN = IPS CA CLASEA3 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 16:D4:24:FE:96:10:E1:75:19:AF:23:2B:B6:87:74:E2:41:44:BE:6E

CN = IPS CA Timestamping Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 96:99:5C:77:11:E8:E5:2D:F9:E3:4B:EC:EC:67:D3:CB:F1:B6:C4:D2
I have closed the discussion in mozilla.dev.security.policy about removing these root certificates. No substantial concerns were raised about removing these roots.

The one item of note is that the reason for removing the Thawte roots listed above is that they are no longer needed to be included in NSS. 

I will file the NSS bug for the actual changes.
Depends on: 622719
I have filed bug #622719 for the actual changes in NSS.
Whiteboard: Approved - awaiting NSS
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Whiteboard: Approved - awaiting NSS → Changes included in FF6.0
Product: mozilla.org → NSS
You need to log in before you can comment on or make changes to this bug.