Closed
Bug 810010
Opened 12 years ago
Closed 12 years ago
Add PSCProcert certificate to NSS
Categories
(NSS :: CA Certificates Code, task)
NSS
CA Certificates Code
Tracking
(Not tracked)
RESOLVED
FIXED
3.15
People
(Reporter: kathleen.a.wilson, Assigned: KaiE)
References
Details
(Whiteboard: test complete)
Attachments
(3 files)
This bug requests inclusion in the NSS CA certificate store of the following certificate, owned by PROCERT.
Friendly name: PSCProcert
Certificate location: https://bugzilla.mozilla.org/attachment.cgi?id=512251
SHA1 Fingerprint: 70:C1:8D:74:B4:28:81:0A:E4:FD:A5:75:D7:01:9F:99:B0:3D:50:74
Trust flags: Websites, Email, Code Signing
Test URL: https://mail.procert.net.ve/exchange
Note: This certificate is signed by SUSCERTE, so the Issuer O = Sistema Nacional de Certificacion Electronica. In Bug #489240 it was determined that SUSCERTE’s sub-CAs should apply for inclusion themselves as separate trust anchors.
The PROCERT CA has been assessed in accordance with the Mozilla project guidelines, and this certificate approved for inclusion in bug #593805.
The next steps are as follows:
1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate has been attached.
2) A Mozilla representative creates a patch with the new certificate, and provides a special test version of Firefox.
3) A representative of the CA uses the test version of Firefox to confirm (by adding a comment in this bug) that the certificate has been correctly imported and that website works correctly.
4) The Mozilla representative requests that another Mozilla representative review the patch.
5) The Mozilla representative adds (commits) the patch to NSS, then closes this bug as RESOLVED FIXED.
6) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.
|
Reporter | |
Updated•12 years ago
|
Attachment #679792 -
Attachment mime type: application/pkix-cert → application/x-x509-ca-cert
|
|
Reporter | |
Comment 1•12 years ago
|
||
Oscar, Please see step #1 above.
Attachment #681002 -
Flags: review-
Attachment #681002 -
Flags: feedback-
|
|
Reporter | |
Comment 3•12 years ago
|
||
(In reply to Procert from comment #2)
> Created attachment 681002 [details]
Thanks for confirming that the data in this bug is correct.
Root inclusions and changes are usually grouped and done as a batch when there is
either a large enough set of changes or about every 3 months.
At some point in the next 3 months a test build will be provided and this bug
will be updated to request that you test it. Since you are cc'd on this bug,
you will get notification via email when that happens.
Dear Kathleen, we don't receive email with information about the inclusión.
How much longer will be the process?
We will appreciate any information about the batch publication.
Best Regards and a happy new year.
|
|
Reporter | |
Comment 5•12 years ago
|
||
Please see and respond to
https://bugzilla.mozilla.org/show_bug.cgi?id=593805#c86
Sorry, I posted the answer for comment 5 related to this bug 810010.
The answer that I posted correspond to bug 593805, comment 86.
Please do not hesitate in contact us for additional information.
Best Regards.
Oscar Lovera
Sorry, I posted the answer for comment 5 related to this bug 810010.
The answer that I posted correspond to bug 593805, comment 86.
Please do not hesitate in contact us for additional information.
Best Regards.
Oscar Lovera
Sorry, I posted the answer for comment 5 related to this bug 810010.
The answer that I posted correspond to bug 593805, comment 86.
Please do not hesitate in contact us for additional information.
Best Regards.
Oscar Lovera
|
|
Reporter | |
Comment 10•12 years ago
|
||
Oscar, thank you for responding to the CA Communication in bug #593805. I have reviewed your response, and it looks good.
This bug is ready to be included in the next batch of root inclusion and change requests.
|
Assignee | |
Updated•12 years ago
|
Assignee: nobody → kaie
|
|
Assignee | |
Comment 11•12 years ago
|
||
Please proceed with testing.
Important reminder:
At this phase, we change the NSS root CA list, which covers domain validation.
At this time, please test that your root has been correctly included and
that trust flags are set correctly, and that connections to your test site work
with basic domain validation status.
If you have requested EV (extended validation), this is NOT yet enabled,
it will be done at a later time, in a separate bug.
The test build is available at
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-cdb68506e138/
Please download a binary for your preferred operating system.
(Only if the above link fails, you may use this backup location:
https://kuix.de/mozilla/tryserver-roots-20130403/ )
Can a CA representative please verify the trust settings for correctness?
FYI: https://wiki.mozilla.org/CA:How_to_apply#Testing_Inclusion
(See also the initial comments in this bug.
You should ensure that you're using a fresh profile,
to make sure you really see the trust bits provided by this build,
not trust settings that you had set manually in an application profile.
To learn how to use a separate profile for testing, refer to
http://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles
or http://kb.mozillazine.org/Creating_a_new_Firefox_profile_on_Windows )
|
||
Comment 12•12 years ago
|
||
This site: https://app.cadivi.gob.ve/ have a cert from PROCERT.
|
|
||
Comment 13•12 years ago
|
||
|
|
Reporter | |
Comment 14•12 years ago
|
||
I have used the test build and a fresh profile to confirm the new root is included with all three trust bits enabled. Note that in the Certificate Manager this root is displayed under "Sistema Nacional de Certificacion Electronica".
A representative of the CA needs to also confirm that they have installed the test build and verified that the correct root is included and the correct trust bits set. https://wiki.mozilla.org/CA:How_to_apply#Testing_Inclusion
|
||
Comment 15•12 years ago
|
||
Dear Kathleen Wilson,
As representative of PROCERT's, I, Oscar Lovera under affidavit, confirmed that the root including in the NSS root CA test list, correspond with the venezuelan root of certification.
Please remember, PROCERT's is a subCA under the venezuelan root of certification ("Sistema Nacional de Certificacion Electronica").
Best Regards,
Oscar Lovera
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: test complete
|
||
Updated•12 years ago
|
Target Milestone: --- → 3.15
|
|
Reporter | |
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•