Closed
Bug 622719
Opened 14 years ago
Closed 14 years ago
Remove legacy root certificates from NSS
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.10
People
(Reporter: kathleen.a.wilson, Assigned: KaiE)
References
Details
Attachments
(2 files)
|
132.86 KB,
patch
|
nelson
:
review-
|
Details | Diff | Splinter Review |
|
132.33 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
This bug requests that the following root certificates be removed from the NSS root certificate store.
CN = AOL Time Warner Root Certification Authority 1
O = AOL Time Warner Inc.
SHA1 Fingerpint: 74:54:53:5C:24:A3:A7:58:20:7E:3E:3E:D3:24:F8:16:FB:21:16:49
CN = AOL Time Warner Root Certification Authority 2
O = AOL Time Warner Inc.
SHA1 Fingerprint: FC:21:9A:76:11:2F:76:C1:C5:08:83:3C:9A:2F:A2:BA:84:AC:08:7A
CN = Thawte Timestamping CA
O = Thawte
SHA1 Fingerprint: BE:36:A4:56:2F:B2:EE:05:DB:B3:D3:23:23:AD:F4:45:08:4E:D6:56
CN = Thawte Personal Freemail CA
O = Thawte Consulting
SHA1 Fingerprint: 20:99:00:B6:3D:95:57:28:14:0C:D1:36:22:D8:C6:87:A4:EB:00:85
CN = Entrust.net Client Certification Authority
OU = (c) 1999 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: DA:79:C1:71:11:50:C2:34:39:AA:2B:0B:0C:62:FD:55:B2:F9:F5:80
CN = Entrust.net Client Certification Authority
OU = (c) 2000 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: CF:74:BF:FF:9B:86:81:5B:08:33:54:40:36:3E:87:B6:B6:F0:BF:73
CN = Entrust.net Secure Server Certification Authority
OU = (c) 2000 Entrust.net Limited
O = Entrust.net
SHA1 Fingerprint: 89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93
CN = IPS CA Chained CAs Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: C8:C2:5F:16:9E:F8:50:74:D5:BE:E8:CD:A2:D4:3C:AE:E7:5F:D2:57
CN = IPS CA CLASE1 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 43:9E:52:5F:5A:6A:47:C3:2C:EB:C4:5C:63:ED:39:31:7C:E5:F4:DF
CN = IPS CA CLASE3 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 41:78:AB:4C:BF:CE:7B:41:02:AC:DA:C4:93:3E:6F:F5:0D:CF:71:5C
CN = IPS CA CLASEA1 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 33:A3:35:C2:3C:E8:03:4B:04:E1:3D:E5:C4:8E:79:1A:EB:8C:32:04
CN = IPS CA CLASEA3 Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 16:D4:24:FE:96:10:E1:75:19:AF:23:2B:B6:87:74:E2:41:44:BE:6E
CN = IPS CA Timestamping Certification Authority
O = IPS Internet publishing Services s.l.
SHA1 Fingerprint: 96:99:5C:77:11:E8:E5:2D:F9:E3:4B:EC:EC:67:D3:CB:F1:B6:C4:D2
This list of root certificates to be removed has been assessed in accordance with Mozilla’s Root Change Process:
https://wiki.mozilla.org/CA:Root_Change_Process#Remove_a_Root
The changes have been discussed in the mozilla.dev.security.policy forum and approved in bug #617664.
|
Assignee | |
Comment 1•14 years ago
|
||
Removing is easy... so I thought! :)
The identifiers used for some entrust roots don't match the descriptions given.
I identified that "client" used in names here match the certs described as "personal" in the code.
There was a good match for "Entrust.net Secure Server CA".
After I removed the 3 requested entrust certs, the following entrust roots are being kept (not removed):
# Certificate "Entrust.net Premium 2048 Secure Server CA"
# Certificate "Entrust.net Global Secure Server CA"
# Certificate "Entrust Root Certification Authority"
Does this sound right?
Assignee: nobody → kaie
|
|
Assignee | |
Comment 2•14 years ago
|
||
Attachment #503586 -
Flags: review?(nelson)
|
Reporter | |
Comment 3•14 years ago
|
||
When I look at the Certificate Manager in Firefox, the 3 Entrust roots that should remain are as follows.
CN = Entrust.net Certification Authority (2048)
SHA1 Fingerprint: 80:1D:62:D0:7B:44:9D:5C:5C:03:5C:98:EA:61:FA:44:3C:2A:58:FE
(I think this is the one you called "Entrust.net Premium 2048 Secure Server CA")
CN = Entrust.net Secure Server Certification Authority
SHA1 Fingerprint: 99:A6:9B:E6:1A:FE:88:6B:4D:2B:82:00:7C:B8:54:FC:31:7E:15:39
(I think this is the one you called "Entrust.net Global Secure Server CA")
CN = Entrust Root Certification Authority
SHA1 Fingerprint: B3:1E:B1:B7:40:E3:6C:84:02:DA:DC:37:D4:4D:F5:D4:67:49:52:F9
If it helps, all of the trust bits have already been turned off for the 3 Entrust roots that we are removing.
Thanks,
Kathleen
|
||
Comment 4•14 years ago
|
||
Comment on attachment 503586 [details] [diff] [review]
Patch v1
r-
The set of certs removed by this patch does not exactly match the set
requested in comment 0.
This patch removes an entrust cert with the SHA1 fingerprint
99:a6:9b:e6:1a:fe:88:6b:4d:2b:82:00:7c:b8:54:fc:31:7e:15:39
which is not in Kathleen's list,
and does not remove the entrust cert with the SHA1 fingerprint
89:39:57:6E:17:8D:F7:05:78:0F:CC:5E:C8:4F:84:F6:25:3A:48:93
which is in her list.
Attachment #503586 -
Flags: review?(nelson) → review-
|
|
Assignee | |
Comment 5•14 years ago
|
||
(In reply to comment #3)
>
> If it helps, all of the trust bits have already been turned off for the 3
> Entrust roots that we are removing.
Kathleen, thanks a lot, this greatly simplified identifying the roots that are supposed to be removed.
|
|
Assignee | |
Comment 6•14 years ago
|
||
If you diff this patch against the previous version, you'll see, the patch is mostly identical. But I keep the Entrust root which has still trust flags enabled, and I now remove another root, which has all trust flags already disabled.
Attachment #519656 -
Flags: review?(nelson)
|
|
Assignee | |
Comment 7•14 years ago
|
||
A test build, that includes patch v2, can be found here:
http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-6873b2ef1dfb/
(This will go away after 3 days. Once it's gone, it will be available here http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/old/kaie@kuix.de-6873b2ef1dfb/ for another 10 days, after which it will be deleted automatically.)
|
|
Reporter | |
Comment 8•14 years ago
|
||
I installed the MacOS version of the test build, and moved my cert8.db file to a different folder. Then I viewed the Authorities list in the Certificate Manager, and verified that all of the correct certs have been removed as per the description in this bug.
Thanks,
Kathleen
|
|
Assignee | |
Updated•14 years ago
|
Attachment #519656 -
Flags: review?(rrelyea)
|
||
Comment 9•14 years ago
|
||
Comment on attachment 519656 [details] [diff] [review]
Patch v2
r+ rrelyea
Looks like you got the right certs this time.
Thanks Kathleen for helping get some of these out of here!
bob
Attachment #519656 -
Flags: review?(rrelyea) → review+
|
|
Assignee | |
Updated•14 years ago
|
Attachment #519656 -
Flags: review?(nelson)
|
|
Assignee | |
Comment 10•14 years ago
|
||
NSS trunk:
cvs commit: Examining .
Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c
new revision: 1.76; previous revision: 1.75
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.txt
new revision: 1.73; previous revision: 1.72
done
|
|
Assignee | |
Updated•14 years ago
|
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 11•14 years ago
|
||
3.12 branch:
cvs commit: Examining .
Checking in certdata.c;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.c,v <-- certdata.c
new revision: 1.67.2.9; previous revision: 1.67.2.8
done
Checking in certdata.txt;
/cvsroot/mozilla/security/nss/lib/ckfw/builtins/certdata.txt,v <-- certdata.txt
new revision: 1.64.2.9; previous revision: 1.64.2.8
done
Target Milestone: --- → 3.12.10
You need to log in
before you can comment on or make changes to this bug.
Description
•