Closed Bug 632461 Opened 11 years ago Closed 11 years ago

Add Go Daddy G2 root certificates to NSS

Categories

(NSS :: CA Certificates Code, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Unassigned)

References

Details

Attachments

(3 files)

This bug requests inclusion in the NSS root certificate store of the following
certificates, owned by Go Daddy.

Friendly name: Go Daddy Root Certificate Authority - G2
Certificate location: https://certificates.godaddy.com/repository/gdroot-g2.crt
SHA1 Fingerprint: 47:BE:AB:C9:22:EA:E8:0E:78:78:34:62:A7:9F:45:C2:54:FD:E6:8B
Trust flags: Websites, Code Signing
Test URL: https://gdg2roottest.godaddy.com/

Friendly name: Starfield Root Certificate Authority - G2
Certificate location: https://certificates.starfieldtech.com/repository/sfroot-g2.crt
SHA1 Fingerprint: B5:1C:06:7C:EE:2B:0C:3D:F8:55:AB:2D:92:F4:FE:39:D4:E7:0F:0E
Trust flags: Websites, Code Signing
Test URL: https://sfg2roottest.starfieldtech.com/

Friendly name: Starfield Services Root Certificate Authority - G2
Certificate location: https://certificates.starfieldtech.com/repository/sfsroot-g2.crt
SHA1 Fingerprint: 92:5A:8F:8D:2C:6D:04:E0:66:5F:59:6A:FF:22:D8:63:E8:25:6F:3F
Trust flags: Websites, Code Signing
Test URL: https://sfsg2roottest.starfieldtech.com/

This CA has been assessed in accordance with the Mozilla project guidelines,
and the certificate approved for inclusion in bug #527056.

The next steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is
correct, and that the correct certificate(s) have been attached. They must also
specify what OS they would like to use to perform the verification below.

2) A Mozilla representative creates a test build of NSS with the new
certificate(s), and attaches nssckbi.dll to this bug. A representative of the
CA must download this, drop it into a copy of Firefox and/or Thunderbird on the
OS in question and confirm (by adding a comment here) that the certificate(s)
have been correctly imported and that websites work correctly.

3) The Mozilla representative checks the certificate(s) into the NSS store, and
marks the bug RESOLVED FIXED.

4) At some time after that, various Mozilla products will move to using a
version of NSS which contains the certificate. This process is mostly under the
control of the release drivers for those products.
Patrick or Ryan, Please see step #1 above.
Blocks: 632475
I confirm that the information listed in the description is correct.  I have downloaded the three certificates attached to this bug and confirmed that they are correct.  The SHA1 hashes of the certificates attached to this bug match the SHA1 hashes of the true and correct certificates, and also match the SHA1 hashes listed in the description.

We will perform the verification using a Mac OS X 10.6.x system.
Ryan, Thanks for confirming that the data in this bug is correct.

Root inclusions are usually grouped and done as a batch when there is
either a large enough set of changes or about every 3 months.

At some point in the next 3 months a test build will be provided and this bug
will be updated to request that you test it. Since you are cc'd on this bug,
you will get notification via email when that happens.
Depends on: 642129
A test version of Firefox is available at http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/kaie@kuix.de-6873b2ef1dfb/

Please download soon.

(This will go away after 3 days. Once it's gone, it will be available here
http://ftp.mozilla.org/pub/mozilla.org/firefox/tryserver-builds/old/kaie@kuix.de-6873b2ef1dfb/
for another 10 days, after which it will be deleted automatically.)

Please note this build is based on a nightly development/test version of Firefox. It might be unstable and have bugs. Please be careful. It's best to use a "fresh, empty profile", for your testing. (Search the web how to use separate profiles, start the profile manager, with Firefox). This is also recommended to make sure you're not testing your own certificate database, but really this software with the embedded certs.

This test build contains your new roots, and if you have requested to, it also has the roots enabled for EV.
Please make sure you add a confirmation comment in BOTH separate bugs (one for adding the root, one for enabling for EV, if applicable).

Please note, adding your roots, and enabling roots for EV might happen in separate releases, although we try to do it all in the same release.
TODO, in this bug, please confirm that your root has been correctly added.

In particular check the correct trust flags (in cert manager you can use "edit trust" to view the trust settings you've received).
I have downloaded and tested both the Mac OS X and Win32 builds.  I confirm that the new Go Daddy Root Certificate Authority - G2 and the Starfield Root Certificate Authority - G2 are correctly added to the built-in root store.  Using a new profile when launching the Minefield build, I inspected the contents of the certificates, verified their trust settings, and successfully loaded our test pages.
Ryan, what about the third root, "Starfield Services" ?
My apologies.  Yes, the Starfield Services Root Certificate Authority - G2 appears to be correctly added to the built-in root store with correct trust bits.
fixed in bug 642129
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.