Closed Bug 691844 Opened 13 years ago Closed 13 years ago

Disable certain trust bits for TDC roots

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)

References

Details

(Whiteboard: Changes in FF 11)

The "TDC Internet Root CA" hierarchy only issues end user certificates for identifying websites. Therefore the "email" and "code signing" trust bits should be turned off by default. And The "TDC OCES CA" only issues end user certificates for identifying end entities for email usage in a NSS context. Therefore the "websites" and "code signing" trust bits should be turned off. The result should be: O = TDC Internet OU = TDC Internet Root CA SHA1 = 21:FC:BD:8E:7F:6C:AF:05:1B:D1:B3:43:EC:A8:E7:61:47:F2:0F:8A Trust Bits Enabled: Websites O = TDC CN = TDC OCES CA SHA1 = 87:81:C2:5A:96:BD:C2:FB:4C:65:06:4F:F9:39:0B:26:04:8A:0E:01 Trust Bits Enabled: Email
I can confirm that this is correct.
Depends on: 692168
I have posted this request in the "Root Cleanup" discussion in the mozilla.dev.security.policy forum.
Whiteboard: In public discussion
I have closed the discussion in mozilla.dev.security.policy about turning off certain trust bits for these root certificates. No concerns were raised. I will file the NSS bug for the actual changes.
Depends on: 708016
I have filed bug #708016 for the actual changes in NSS.
Whiteboard: In public discussion → Approved - awaiting NSS
I have confirmed that the trust bits are updated, as per the bug description, in FF11.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Whiteboard: Approved - awaiting NSS → Changes in FF 11
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.