Closed Bug 708009 Opened 10 years ago Closed 10 years ago

Remove root certificates from NSS

Categories

(NSS :: CA Certificates Code, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Unassigned)

References

Details

This bug requests that the following root certificates be removed from the NSS root certificate store.

OU = TC TrustCenter Class 2 CA
O = TC TrustCenter for Security in Data Networks GmbH
SHA1: 83:8E:30:F7:7F:DD:14:AA:38:5E:D1:45:00:9C:0E:22:36:49:4F:AA
Reason: Expired

OU = TC TrustCenter Class 3 CA
O = TC TrustCenter for Security in Data Networks GmbH
SHA1: 9F:C7:96:E8:F8:52:4F:86:3A:E1:49:6D:38:12:42:10:5F:1B:78:F5
Reason: Expired

OU = Class 1 Public Primary Certification Authority
O = "VeriSign, Inc."
SHA1: 90:AE:A2:69:85:FF:14:80:4C:43:49:52:EC:E9:60:84:77:AF:55:6F
Reason: This MD2 root has been replaced by a new root

OU = Class 2 Public Primary Certification Authority
O = "VeriSign, Inc."
SHA1: 67:82:AA:E0:ED:EE:E2:1A:58:39:D3:C0:CD:14:68:0A:4F:60:14:2A
Reason: This MD2 root has been replaced by a new root

OU = Class 4 Public Primary Certification Authority - G2
O = "VeriSign, Inc."
SHA1: 0B:77:BE:BB:CB:7A:A2:47:05:DE:CC:0F:BD:6A:02:FC:7A:BD:9B:52
Reason: No longer in use.

This list of root certificates to be removed has been assessed in accordance with Mozilla’s Root Change Process:
https://wiki.mozilla.org/CA:Root_Change_Process#Remove_a_Root

The changes have been discussed in the mozilla.dev.security.policy forum and approved in bug #682071.
Blocks: 711829
Could you please check the test build at https://kuix.de/mozilla/tryserver-roots-20111218/
Did I remove the correct roots?

Thanks
Kai, Sorry for the delay in my response -- I'm still catching up from the holidays.

For some reason I'm having difficulty downloading the test build for the Mac -- very slow download rate. 

Would you please send me the cert8.db file from the test build? I believe that should be sufficient for me and check that the correct roots were removed.
I just tried to download the mac version of the test build again, and this time it worked.

I have reviewed the TC TrustCenter and VeriSign roots in the Certificate Manager to confirm that the desired roots have been removed, and the ones that should not be removed are still there.

Thanks!
Will be fixed in NSS 3.13.2
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.