Turn off certain trust bits for TDC roots in NSS

RESOLVED FIXED

Status

NSS
CA Certificates Code
--
enhancement
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: Kathleen Wilson, Unassigned)

Tracking

Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
This bug requests that certain trust bits be turned off for the following root certificates in NSS.

The result should be:

O = TDC Internet
OU = TDC Internet Root CA
SHA1 = 21:FC:BD:8E:7F:6C:AF:05:1B:D1:B3:43:EC:A8:E7:61:47:F2:0F:8A
Trust Bits Enabled: Websites
(e.g. turn off email and code signing)

O = TDC
CN = TDC OCES CA
SHA1 = 87:81:C2:5A:96:BD:C2:FB:4C:65:06:4F:F9:39:0B:26:04:8A:0E:01
Trust Bits Enabled: Email
(e.g. turn off websites and code signing)

These changes have been assessed in accordance with Mozilla’s Root Change Process: https://wiki.mozilla.org/CA:Root_Change_Process#Remove_a_Root

The changes have been discussed in the mozilla.dev.security.policy forum and approved in bug #691844.
(Reporter)

Updated

6 years ago
Duplicate of this bug: 692168

Updated

6 years ago
Blocks: 711829

Comment 2

6 years ago
Could you please check the test build at https://kuix.de/mozilla/tryserver-roots-20111218/
Did I modify the trust flags correctly?

Thanks
(Reporter)

Comment 3

6 years ago
I just checked the test build, and using the Certificate Manager I confirmed that the correct trust bit is set for each of these roots.

Thanks!

Comment 4

6 years ago
Will be fixed in NSS 3.13.2
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Comment 5

6 years ago
I believe that this including this root certificate is a mistake: the serial number on the certificate is negative. This happens to be possible with ASN.1, but isn't permitted in a certificate:

"The serial number MUST be a positive integer."

http://tools.ietf.org/html/rfc5280#section-4.1.2.2

More importantly, making glaring mistakes in a root certificate doesn't inspire confidence in the practices of the CA.

Comment 6

6 years ago
Gah, sorry. Wrong window, I'll repeat #5 in the right bug (707995)
You need to log in before you can comment on or make changes to this bug.