Remove root certificates from NSS

RESOLVED FIXED

Status

NSS
CA Certificates Code
--
enhancement
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: Kathleen Wilson, Unassigned)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
This bug requests that the following root certificates be removed from the NSS root certificate store.

OU = TC TrustCenter Class 2 CA
O = TC TrustCenter for Security in Data Networks GmbH
SHA1: 83:8E:30:F7:7F:DD:14:AA:38:5E:D1:45:00:9C:0E:22:36:49:4F:AA
Reason: Expired

OU = TC TrustCenter Class 3 CA
O = TC TrustCenter for Security in Data Networks GmbH
SHA1: 9F:C7:96:E8:F8:52:4F:86:3A:E1:49:6D:38:12:42:10:5F:1B:78:F5
Reason: Expired

OU = Class 1 Public Primary Certification Authority
O = "VeriSign, Inc."
SHA1: 90:AE:A2:69:85:FF:14:80:4C:43:49:52:EC:E9:60:84:77:AF:55:6F
Reason: This MD2 root has been replaced by a new root

OU = Class 2 Public Primary Certification Authority
O = "VeriSign, Inc."
SHA1: 67:82:AA:E0:ED:EE:E2:1A:58:39:D3:C0:CD:14:68:0A:4F:60:14:2A
Reason: This MD2 root has been replaced by a new root

OU = Class 4 Public Primary Certification Authority - G2
O = "VeriSign, Inc."
SHA1: 0B:77:BE:BB:CB:7A:A2:47:05:DE:CC:0F:BD:6A:02:FC:7A:BD:9B:52
Reason: No longer in use.

This list of root certificates to be removed has been assessed in accordance with Mozilla’s Root Change Process:
https://wiki.mozilla.org/CA:Root_Change_Process#Remove_a_Root

The changes have been discussed in the mozilla.dev.security.policy forum and approved in bug #682071.

Updated

6 years ago
Blocks: 711829

Comment 1

6 years ago
Could you please check the test build at https://kuix.de/mozilla/tryserver-roots-20111218/
Did I remove the correct roots?

Thanks
(Reporter)

Comment 2

6 years ago
Kai, Sorry for the delay in my response -- I'm still catching up from the holidays.

For some reason I'm having difficulty downloading the test build for the Mac -- very slow download rate. 

Would you please send me the cert8.db file from the test build? I believe that should be sufficient for me and check that the correct roots were removed.
(Reporter)

Comment 3

6 years ago
I just tried to download the mac version of the test build again, and this time it worked.

I have reviewed the TC TrustCenter and VeriSign roots in the Certificate Manager to confirm that the desired roots have been removed, and the ones that should not be removed are still there.

Thanks!

Comment 4

6 years ago
Will be fixed in NSS 3.13.2
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.