Closed Bug 733454 Opened 9 years ago Closed 7 years ago
Remove hard-coded blocklisting in PSM for Comodo and Diginotar
This blocking is handled at the NSS level, so we don't need this PSM code. The DigiNotar-related code is part of the cause of bug 730734.
Brian, please explain for both Comodo and DigiNotar why your request is justified.
Aren't these checks redundant with the checks that are done in NSS, now that these certs are blacklisted at the NSS level?
And if the NSS-level checks are not sufficient, then we should fix that, since the NSS-level mechanism is the mechanism we are planning to use for future blocking, including blocking the TrustWave MITM cert. So, AFAICT, this is dead code.
Brian, you should implemented automatest tests that proof that your proposed changes are fine and still block the bad certs (I'm worried this code is still necessary).
Comment on attachment 603349 [details] [diff] [review] Remove hard-coded blocking of Comodogate certificates from PSM missing tests
Attachment #603349 - Flags: review?(kaie) → review-
Comment on attachment 603351 [details] [diff] [review] Remove hard-coded blocking of Diginotar certificates missing tests
Attachment #603351 - Flags: review?(kaie) → review-
Still needs tests.
Comment on attachment 771026 [details] [diff] [review] Remove DigiNotar and Comodo hacks Review of attachment 771026 [details] [diff] [review]: ----------------------------------------------------------------- Do we have any tests that this is still working with the nss blacklist?
Attachment #771026 - Flags: review?(cviecco) → review+
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla29
Rebased, carrying over r+
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Why is this bug fixed without adding any tests?
(In reply to Masatoshi Kimura [:emk] from comment #14) > Why is this bug fixed without adding any tests? A combination of laziness and deadlines, and the fact that these certificates either expired already (2014-03-xx) and/or they were untrusted by other means. For example, we removed the Diginotar roots from NSS and we disabled MD5-based signature verification a while back.
You need to log in before you can comment on or make changes to this bug.