Created attachment 579366 [details]
CATCert Root Cert
This bug requests inclusion in the NSS root certificate store of the following certificate, owned by CATCert.
Friendly name: EC-ACC
Certificate location: http://www.catcert.net/descarrega/acc.crt
SHA1 Fingerprint: 28:90:3A:63:5B:52:80:FA:E6:77:4C:0B:6D:A7:D6:BA:A6:4A:F2:E8
Trust flags: Websites
Test URL: https://seuelectronica.upc.edu/
This CA has been assessed in accordance with the Mozilla project guidelines, and the certificate approved for inclusion in bug #295474.
The steps are as follows:
1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate has been attached.
2) A Mozilla representative creates a patch with the new certificate, and provides a special test version of Firefox.
3) A representative of the CA uses the test version of Firefox to confirm (by adding a comment in this bug) that the certificate has been correctly imported and that websites work correctly.
4) The Mozilla representative requests that another Mozilla representative review the patch.
5) The Mozilla representative adds (commits) the patch to NSS, then closes this bug as RESOLVED FIXED.
6) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate(s). This process is mostly under the control of the release drivers for those products.
Manuel, Please see step #1 above.
(In reply to Kathleen Wilson from comment #1)
> Manuel, Please see step #1 above.
Hi Kathleen, we confirm that the information of the root CATCert certificate is correct. Another URL test could be: https://seu.catcert.cat
Thanks for confirming that the data in this bug is correct.
Root inclusions are usually grouped and done as a batch when there is
either a large enough set of changes or about every 3 months.
At some point in the next 3 months a test build will be provided and this bug
will be updated to request that you test it. Since you are cc'd on this bug,
you will get notification via email when that happens.
A test version of Firefox is available at https://kuix.de/mozilla/tryserver-roots-20111218/
This test build contains your new root(s).
TODO, in this bug, please confirm that your root has been correctly added.
In particular check the correct trust flags (in cert manager you can use "edit trust" to view the trust settings you've received).
Please note this build is based on a nightly development/test version of Firefox. It might be unstable and have bugs. Please be careful.
It's best to use a "fresh, empty profile", for your testing. (Search the web how to use separate profiles, start the profile manager, with Firefox).
This is also recommended to make sure you're not testing your own certificate database, but really this software with the embedded certs.
From CATCert we have validated OK the 4 test Firefox versions following your instructions. Thank you.
Will be fixed in NSS 3.13.2
I believe that this including this root certificate is a mistake: the serial number on the certificate is negative. This happens to be possible with ASN.1, but isn't permitted in a certificate:
"The serial number MUST be a positive integer."
More importantly, making glaring mistakes in a root certificate doesn't inspire confidence in the practices of the CA.
(In reply to Adam Langley from comment #7)
> I believe that this including this root certificate is a mistake: the serial
> number on the certificate is negative.
This was discussed at great length in the mozilla.dev.security.policy discussion forum.
From posting on 23/08/2011: "The fact is that our root CA created in 2003 is not accomplishing that point because in design time was used the RFC2459 that didn't have this requirement about serial numbers. Anyway it is specified in RFCs 3280 and 5280 that "Certificate users SHOULD be prepared to gracefully handle such certificates", so the practical experience is that we have not been reported yet for any interoperability problems caused by this issue. Furthermore we are planning to create another root certificate during 2012 with SHA-256 algorithm, so we will take special care at this point."
Hi, is there an approximated date to have included the root certificate of CATCert in a final version of Firefox?