Remove legacy root certificates from NSS

RESOLVED FIXED in 3.12.10

Status

NSS
CA Certificates Code
--
enhancement
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: Kathleen Wilson, Assigned: kaie)

Tracking

trunk
3.12.10
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

132.86 KB, patch
Nelson Bolyard (seldom reads bugmail)
: review-
Details | Diff | Splinter Review
132.33 KB, patch
Robert Relyea
: review+
Details | Diff | Splinter Review
(Reporter)

Description

7 years ago
This bug requests that the following root certificates be removed from the NSS root certificate store.

CN = AOL Time Warner Root Certification Authority 1
O = AOL Time Warner Inc.
SHA1 Fingerpint: 74:54:53:5C:24:A3:A7:58:20:7E:3E:3E:D3:24:F8:16:FB:21:16:49

CN = AOL Time Warner Root Certification Authority 2
O = AOL Time Warner Inc.
SHA1 Fingerprint: FC:21:9A:76:11:2F:76:C1:C5:08:83:3C:9A:2F:A2:BA:84:AC:08:7A

CN = Thawte Timestamping CA
O = Thawte
SHA1 Fingerprint: BE:36:A4:56:2F:B2:EE:05:DB:B3:D3:23:23:AD:F4:45:08:4E:D6:56

CN = Thawte Personal Freemail CA
O = Thawte Consulting
SHA1 Fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85

CN = Entrust.net Client Certification Authority
OU = (c) 1999 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: DA:79:C1:71:11:50:C2:34:39:AA:2B:0B:0C:62:FD:55:B2:F9:F5:80

CN = Entrust.net Client Certification Authority
OU = (c) 2000 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: CF:74:BF:FF:9B:86:81:5B:08:33:54:40:36:3E:87:B6:B6:F0:BF:73

CN = Entrust.net Secure Server Certification Authority
OU = (c) 2000 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: 89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93

CN = IPS CA Chained CAs Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: C8:C2:5F:16:9E:F8:50:74:D5:BE:E8:CD:A2:D4:3C:AE:E7:5F:D2:57

CN = IPS CA CLASE1 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 43:9E:52:5F:5A:6A:47:C3:2C:EB:C4:5C:63:ED:39:31:7C:E5:F4:DF

CN = IPS CA CLASE3 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 41:78:AB:4C:BF:CE:7B:41:02:AC:DA:C4:93:3E:6F:F5:0D:CF:71:5C

CN = IPS CA CLASEA1 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 33:A3:35:C2:3C:E8:03:4B:04:E1:3D:E5:C4:8E:79:1A:EB:8C:32:04

CN = IPS CA CLASEA3 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 16:D4:24:FE:96:10:E1:75:19:AF:23:2B:B6:87:74:E2:41:44:BE:6E

CN = IPS CA Timestamping Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 96:99:5C:77:11:E8:E5:2D:F9:E3:4B:EC:EC:67:D3:CB:F1:B6:C4:D2


This list of root certificates to be removed has been assessed in accordance with Mozilla’s Root Change Process:
https://wiki.mozilla.org/CA:Root_Change_Process#Remove_a_Root

The changes have been discussed in the mozilla.dev.security.policy forum and approved in bug #617664.
(Assignee)

Comment 1

7 years ago
Removing is easy... so I thought! :)

The identifiers used for some entrust roots don't match the descriptions given.

I identified that "client" used in names here match the certs described as "personal" in the code.

There was a good match for "Entrust.net Secure Server CA".


After I removed the 3 requested entrust certs, the following entrust roots are being kept (not removed):
# Certificate "Entrust.net Premium 2048 Secure Server CA"
# Certificate "Entrust.net Global Secure Server CA"
# Certificate "Entrust Root Certification Authority"


Does this sound right?
Assignee: nobody → kaie
(Assignee)

Comment 2

7 years ago
Created attachment 503586 [details] [diff] [review]
Patch v1
Attachment #503586 - Flags: review?(nelson)
(Reporter)

Comment 3

7 years ago
When I look at the Certificate Manager in Firefox, the 3 Entrust roots that should remain are as follows.

CN = Entrust.net Certification Authority (2048)
SHA1 Fingerprint: 80:1D:62:D0:7B:44:9D:5C:5C:03:5C:98:EA:61:FA:44:3C:2A:58:FE
(I think this is the one you called "Entrust.net Premium 2048 Secure Server CA")

CN = Entrust.net Secure Server Certification Authority
SHA1 Fingerprint: 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
(I think this is the one you called "Entrust.net Global Secure Server CA")

CN = Entrust Root Certification Authority
SHA1 Fingerprint: B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9


If it helps, all of the trust bits have already been turned off for the 3 Entrust roots that we are removing.

Thanks,
Kathleen
Comment on attachment 503586 [details] [diff] [review]
Patch v1

r-
The set of certs removed by this patch does not exactly match the set 
requested in comment 0. 

This patch removes an entrust cert with the SHA1 fingerprint 
99:a6:9b:e6:1a:fe:88:6b:4d:2b:82:00:7c:b8:54:fc:31:7e:15:39
which is not in Kathleen's list, 
and does not remove the entrust cert with the SHA1 fingerprint 
89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93
which is in her list.
Attachment #503586 - Flags: review?(nelson) → review-
(Reporter)

Updated

7 years ago
Blocks: 605187
(Assignee)

Comment 5

7 years ago
(In reply to comment #3)
> 
> If it helps, all of the trust bits have already been turned off for the 3
> Entrust roots that we are removing.


Kathleen, thanks a lot, this greatly simplified identifying the roots that are supposed to be removed.
(Assignee)

Comment 6

7 years ago
Created attachment 519656 [details] [diff] [review]
Patch v2

If you diff this patch against the previous version, you'll see, the patch is mostly identical. But I keep the Entrust root which has still trust flags enabled, and I now remove another root, which has all trust flags already disabled.
Attachment #519656 - Flags: review?(nelson)
(Assignee)

Comment 7

7 years ago
A test build, that includes patch v2, can be found here:
http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-6873b2ef1dfb/

(This will go away after 3 days. Once it's gone, it will be available here http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/old/kaie@kuix.de-6873b2ef1dfb/ for another 10 days, after which it will be deleted automatically.)
(Reporter)

Comment 8

7 years ago
I installed the MacOS version of the test build, and moved my cert8.db file to a different folder.  Then I viewed the Authorities list in the Certificate Manager, and verified that all of the correct certs have been removed as per the description in this bug.

Thanks,
Kathleen
(Assignee)

Updated

7 years ago
Attachment #519656 - Flags: review?(rrelyea)

Comment 9

7 years ago
Comment on attachment 519656 [details] [diff] [review]
Patch v2

r+ rrelyea

Looks like you got the right certs this time.

Thanks Kathleen for helping get some of these out of here!

bob
Attachment #519656 - Flags: review?(rrelyea) → review+
(Assignee)

Updated

7 years ago
Attachment #519656 - Flags: review?(nelson)
(Assignee)

Comment 10

7 years ago
NSS trunk:

cvs commit: Examining .
Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.76; previous revision: 1.75
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.73; previous revision: 1.72
done
(Assignee)

Updated

7 years ago
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
(Assignee)

Comment 11

7 years ago
3.12 branch:

cvs commit: Examining .
Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.67.2.9; previous revision: 1.67.2.8
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.64.2.9; previous revision: 1.64.2.8
done
Target Milestone: --- → 3.12.10
You need to log in before you can comment on or make changes to this bug.