Closed Bug 708016 Opened 13 years ago Closed 13 years ago

Turn off certain trust bits for TDC roots in NSS

Categories

(NSS :: CA Certificates Code, task)

Product:
NSS
Component:
CA Certificates Code
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: kathleen.a.wilson, Unassigned)

References

Details

This bug requests that certain trust bits be turned off for the following root certificates in NSS. The result should be: O = TDC Internet OU = TDC Internet Root CA SHA1 = 21:FC:BD:8E:7F:6C:AF:05:1B:D1:B3:43:EC:A8:E7:61:47:F2:0F:8A Trust Bits Enabled: Websites (e.g. turn off email and code signing) O = TDC CN = TDC OCES CA SHA1 = 87:81:C2:5A:96:BD:C2:FB:4C:65:06:4F:F9:39:0B:26:04:8A:0E:01 Trust Bits Enabled: Email (e.g. turn off websites and code signing) These changes have been assessed in accordance with Mozilla’s Root Change Process: https://wiki.mozilla.org/CA:Root_Change_Process#Remove_a_Root The changes have been discussed in the mozilla.dev.security.policy forum and approved in bug #691844.
Blocks: 711829
Could you please check the test build at https://kuix.de/mozilla/tryserver-roots-20111218/ Did I modify the trust flags correctly? Thanks
I just checked the test build, and using the Certificate Manager I confirmed that the correct trust bit is set for each of these roots. Thanks!
Will be fixed in NSS 3.13.2
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
I believe that this including this root certificate is a mistake: the serial number on the certificate is negative. This happens to be possible with ASN.1, but isn't permitted in a certificate: "The serial number MUST be a positive integer." http://tools.ietf.org/html/rfc5280#section-4.1.2.2 More importantly, making glaring mistakes in a root certificate doesn't inspire confidence in the practices of the CA.
Gah, sorry. Wrong window, I'll repeat #5 in the right bug (707995)
You need to log in before you can comment on or make changes to this bug.