Closed Bug 622719 Opened 11 years ago Closed 11 years ago

Remove legacy root certificates from NSS

Categories

(NSS :: CA Certificates Code, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
3.12.10

People

(Reporter: kwilson, Assigned: KaiE)

References

Details

Attachments

(2 files)

This bug requests that the following root certificates be removed from the NSS root certificate store.

CN = AOL Time Warner Root Certification Authority 1
O = AOL Time Warner Inc.
SHA1 Fingerpint: 74:54:53:5C:24:A3:A7:58:20:7E:3E:3E:D3:24:F8:16:FB:21:16:49

CN = AOL Time Warner Root Certification Authority 2
O = AOL Time Warner Inc.
SHA1 Fingerprint: FC:21:9A:76:11:2F:76:C1:C5:08:83:3C:9A:2F:A2:BA:84:AC:08:7A

CN = Thawte Timestamping CA
O = Thawte
SHA1 Fingerprint: BE:36:A4:56:2F:B2:EE:05:DB:B3:D3:23:23:AD:F4:45:08:4E:D6:56

CN = Thawte Personal Freemail CA
O = Thawte Consulting
SHA1 Fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85

CN = Entrust.net Client Certification Authority
OU = (c) 1999 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: DA:79:C1:71:11:50:C2:34:39:AA:2B:0B:0C:62:FD:55:B2:F9:F5:80

CN = Entrust.net Client Certification Authority
OU = (c) 2000 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: CF:74:BF:FF:9B:86:81:5B:08:33:54:40:36:3E:87:B6:B6:F0:BF:73

CN = Entrust.net Secure Server Certification Authority
OU = (c) 2000 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: 89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93

CN = IPS CA Chained CAs Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: C8:C2:5F:16:9E:F8:50:74:D5:BE:E8:CD:A2:D4:3C:AE:E7:5F:D2:57

CN = IPS CA CLASE1 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 43:9E:52:5F:5A:6A:47:C3:2C:EB:C4:5C:63:ED:39:31:7C:E5:F4:DF

CN = IPS CA CLASE3 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 41:78:AB:4C:BF:CE:7B:41:02:AC:DA:C4:93:3E:6F:F5:0D:CF:71:5C

CN = IPS CA CLASEA1 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 33:A3:35:C2:3C:E8:03:4B:04:E1:3D:E5:C4:8E:79:1A:EB:8C:32:04

CN = IPS CA CLASEA3 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 16:D4:24:FE:96:10:E1:75:19:AF:23:2B:B6:87:74:E2:41:44:BE:6E

CN = IPS CA Timestamping Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 96:99:5C:77:11:E8:E5:2D:F9:E3:4B:EC:EC:67:D3:CB:F1:B6:C4:D2


This list of root certificates to be removed has been assessed in accordance with Mozilla’s Root Change Process:
https://wiki.mozilla.org/CA:Root_Change_Process#Remove_a_Root

The changes have been discussed in the mozilla.dev.security.policy forum and approved in bug #617664.
Removing is easy... so I thought! :)

The identifiers used for some entrust roots don't match the descriptions given.

I identified that "client" used in names here match the certs described as "personal" in the code.

There was a good match for "Entrust.net Secure Server CA".


After I removed the 3 requested entrust certs, the following entrust roots are being kept (not removed):
# Certificate "Entrust.net Premium 2048 Secure Server CA"
# Certificate "Entrust.net Global Secure Server CA"
# Certificate "Entrust Root Certification Authority"


Does this sound right?
Assignee: nobody → kaie
Attached patch Patch v1Splinter Review
Attachment #503586 - Flags: review?(nelson)
When I look at the Certificate Manager in Firefox, the 3 Entrust roots that should remain are as follows.

CN = Entrust.net Certification Authority (2048)
SHA1 Fingerprint: 80:1D:62:D0:7B:44:9D:5C:5C:03:5C:98:EA:61:FA:44:3C:2A:58:FE
(I think this is the one you called "Entrust.net Premium 2048 Secure Server CA")

CN = Entrust.net Secure Server Certification Authority
SHA1 Fingerprint: 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
(I think this is the one you called "Entrust.net Global Secure Server CA")

CN = Entrust Root Certification Authority
SHA1 Fingerprint: B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9


If it helps, all of the trust bits have already been turned off for the 3 Entrust roots that we are removing.

Thanks,
Kathleen
Comment on attachment 503586 [details] [diff] [review]
Patch v1

r-
The set of certs removed by this patch does not exactly match the set 
requested in comment 0. 

This patch removes an entrust cert with the SHA1 fingerprint 
99:a6:9b:e6:1a:fe:88:6b:4d:2b:82:00:7c:b8:54:fc:31:7e:15:39
which is not in Kathleen's list, 
and does not remove the entrust cert with the SHA1 fingerprint 
89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93
which is in her list.
Attachment #503586 - Flags: review?(nelson) → review-
Blocks: 605187
(In reply to comment #3)
> 
> If it helps, all of the trust bits have already been turned off for the 3
> Entrust roots that we are removing.


Kathleen, thanks a lot, this greatly simplified identifying the roots that are supposed to be removed.
Attached patch Patch v2Splinter Review
If you diff this patch against the previous version, you'll see, the patch is mostly identical. But I keep the Entrust root which has still trust flags enabled, and I now remove another root, which has all trust flags already disabled.
Attachment #519656 - Flags: review?(nelson)
A test build, that includes patch v2, can be found here:
http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-6873b2ef1dfb/

(This will go away after 3 days. Once it's gone, it will be available here http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/old/kaie@kuix.de-6873b2ef1dfb/ for another 10 days, after which it will be deleted automatically.)
I installed the MacOS version of the test build, and moved my cert8.db file to a different folder.  Then I viewed the Authorities list in the Certificate Manager, and verified that all of the correct certs have been removed as per the description in this bug.

Thanks,
Kathleen
Attachment #519656 - Flags: review?(rrelyea)
Comment on attachment 519656 [details] [diff] [review]
Patch v2

r+ rrelyea

Looks like you got the right certs this time.

Thanks Kathleen for helping get some of these out of here!

bob
Attachment #519656 - Flags: review?(rrelyea) → review+
Attachment #519656 - Flags: review?(nelson)
NSS trunk:

cvs commit: Examining .
Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.76; previous revision: 1.75
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.73; previous revision: 1.72
done
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
3.12 branch:

cvs commit: Examining .
Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v  <--  certdata.c
new revision: 1.67.2.9; previous revision: 1.67.2.8
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v  <--  certdata.txt
new revision: 1.64.2.9; previous revision: 1.64.2.8
done
Target Milestone: --- → 3.12.10
You need to log in before you can comment on or make changes to this bug.