This bug requests that certain trust bits be turned off for the following root certificates in NSS. The result should be: O = TDC Internet OU = TDC Internet Root CA SHA1 = 21:FC:BD:8E:7F:6C:AF:05:1B:D1:B3:43:EC:A8:E7:61:47:F2:0F:8A Trust Bits Enabled: Websites (e.g. turn off email and code signing) O = TDC CN = TDC OCES CA SHA1 = 87:81:C2:5A:96:BD:C2:FB:4C:65:06:4F:F9:39:0B:26:04:8A:0E:01 Trust Bits Enabled: Email (e.g. turn off websites and code signing) These changes have been assessed in accordance with Mozilla’s Root Change Process: https://wiki.mozilla.org/CA:Root_Change_Process#Remove_a_Root The changes have been discussed in the mozilla.dev.security.policy forum and approved in bug #691844.
Could you please check the test build at https://kuix.de/mozilla/tryserver-roots-20111218/ Did I modify the trust flags correctly? Thanks
I just checked the test build, and using the Certificate Manager I confirmed that the correct trust bit is set for each of these roots. Thanks!
Will be fixed in NSS 3.13.2
I believe that this including this root certificate is a mistake: the serial number on the certificate is negative. This happens to be possible with ASN.1, but isn't permitted in a certificate: "The serial number MUST be a positive integer." http://tools.ietf.org/html/rfc5280#section-22.214.171.124 More importantly, making glaring mistakes in a root certificate doesn't inspire confidence in the practices of the CA.
Gah, sorry. Wrong window, I'll repeat #5 in the right bug (707995)