Closed Bug 810010 Opened 9 years ago Closed 9 years ago

Add PSCProcert certificate to NSS

Categories

(NSS :: CA Certificates Code, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kwilson, Assigned: KaiE)

References

Details

(Whiteboard: test complete)

Attachments

(3 files)

2.38 KB, application/x-x509-ca-cert
Details
145.42 KB, application/pdf
mozilla.psc.procert
: review-
mozilla.psc.procert
: feedback-
Details
270.71 KB, application/pdf
Details
Attached file PSCProcert Certificate
This bug requests inclusion in the NSS CA certificate store of the following certificate, owned by PROCERT.

Friendly name: PSCProcert
Certificate location: https://bugzilla.mozilla.org/attachment.cgi?id=512251
SHA1 Fingerprint: 70:C1:8D:74:B4:28:81:0A:E4:FD:A5:75:D7:01:9F:99:B0:3D:50:74
Trust flags: Websites, Email, Code Signing
Test URL: https://mail.procert.net.ve/exchange 

Note: This certificate is signed by SUSCERTE, so the Issuer O = Sistema Nacional de Certificacion Electronica. In Bug #489240 it was determined that SUSCERTE’s sub-CAs should apply for inclusion themselves as separate trust anchors. 

The PROCERT CA has been assessed in accordance with the Mozilla project guidelines, and this certificate approved for inclusion in bug #593805.

The next steps are as follows:

1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificate has been attached.

2) A Mozilla representative creates a patch with the new certificate, and provides a special test version of Firefox.

3) A representative of the CA uses the test version of Firefox to confirm (by adding a comment in this bug) that the certificate has been correctly imported and that website works correctly.

4) The Mozilla representative requests that another Mozilla representative review the patch.

5) The Mozilla representative adds (commits) the patch to NSS, then closes this bug as RESOLVED FIXED.

6) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.
Attachment #679792 - Attachment mime type: application/pkix-cert → application/x-x509-ca-cert
Oscar, Please see step #1 above.
Attached file Answer to Bug 810010
Attachment #681002 - Flags: review-
Attachment #681002 - Flags: feedback-
(In reply to Procert from comment #2)
> Created attachment 681002 [details]

Thanks for confirming that the data in this bug is correct.

Root inclusions and changes are usually grouped and done as a batch when there is
either a large enough set of changes or about every 3 months.

At some point in the next 3 months a test build will be provided and this bug
will be updated to request that you test it. Since you are cc'd on this bug,
you will get notification via email when that happens.
Dear Kathleen, we don't receive email with information about the inclusión.
How much longer will be the process?
We will appreciate any information about the batch publication.
Best Regards  and a happy new year.
Attached file Answer comment 87
Sorry, I posted the answer for comment 5 related to this bug 810010.
The answer that I posted correspond to bug 593805, comment 86.

Please do not hesitate in contact us for additional information.

Best Regards.

Oscar Lovera
Sorry, I posted the answer for comment 5 related to this bug 810010.
The answer that I posted correspond to bug 593805, comment 86.

Please do not hesitate in contact us for additional information.

Best Regards.

Oscar Lovera
Sorry, I posted the answer for comment 5 related to this bug 810010.
The answer that I posted correspond to bug 593805, comment 86.

Please do not hesitate in contact us for additional information.

Best Regards.

Oscar Lovera
Oscar, thank you for responding to the CA Communication in bug #593805. I have reviewed your response, and it looks good.

This bug is ready to be included in the next batch of root inclusion and change requests.
Depends on: 857615
Assignee: nobody → kaie
Please proceed with testing.

Important reminder:
At this phase, we change the NSS root CA list, which covers domain validation.

At this time, please test that your root has been correctly included and 
that trust flags are set correctly, and that connections to your test site work
with basic domain validation status.

If you have requested EV (extended validation), this is NOT yet enabled,
it will be done at a later time, in a separate bug.


The test build is available at
  http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-cdb68506e138/

Please download a binary for your preferred operating system.

(Only if the above link fails, you may use this backup location:
  https://kuix.de/mozilla/tryserver-roots-20130403/ )

Can a CA representative please verify the trust settings for correctness?

FYI: https://wiki.mozilla.org/CA:How_to_apply#Testing_Inclusion

(See also the initial comments in this bug.
 You should ensure that you're using a fresh profile,
 to make sure you really see the trust bits provided by this build,
 not trust settings that you had set manually in an application profile.
 To learn how to use a separate profile for testing, refer to
 http://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles
 or http://kb.mozillazine.org/Creating_a_new_Firefox_profile_on_Windows )
This site: https://app.cadivi.gob.ve/ have a cert from PROCERT.
I have used the test build and a fresh profile to confirm the new root is included with all three trust bits enabled. Note that in the Certificate Manager this root is displayed under "Sistema Nacional de Certificacion Electronica".

A representative of the CA needs to also confirm that they have installed the test build and verified that the correct root is included and the correct trust bits set. https://wiki.mozilla.org/CA:How_to_apply#Testing_Inclusion
Dear Kathleen Wilson,

As representative of PROCERT's, I, Oscar Lovera under affidavit, confirmed that the root including in the NSS root CA test list, correspond with the venezuelan root of certification.

Please remember, PROCERT's is a subCA under the venezuelan root of certification ("Sistema Nacional de Certificacion Electronica").

Best Regards,

Oscar Lovera
Whiteboard: test complete
Target Milestone: --- → 3.15
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.