Closed Bug 850740 Opened 7 years ago Closed 5 years ago

Per Symantec's request, turn off trust bits for “TC TrustCenter Universal CA III” cert


(NSS :: CA Certificate Root Program, task)

Not set


(Not tracked)



(Reporter: kwilson, Assigned: kwilson)



Symantec is not currently using the “TC TrustCenter Universal CA III” root certificate, so they have requested that the trust bits be turned off for now.

All three trust bits may be turned off for the following root cert.

CN = TC TrustCenter Universal CA III
OU = TC TrustCenter Universal CA
O = TC TrustCenter GmbH
C = DE
SHA1 Fingerprint: 96:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87
Rick Please confirm that the information above is correct.
The above information is correct.
Depends on: 856718
Why would we keep it in the root store if we're not going to trust it and it isn't being used and they already have MANY other roots that they can use? It seems like it is just wasting space if the trust bits are disabled.
Brian, the process for getting a root added takes a year or more. The process for flipping trust bits is much quicker. We have other roots, true, but they have different characteristics and they're not necessarily like this one.
Yes, but the reason for those delays is due to policy, not so much the adding/removing of the bits in the shared library. I think that if there are no trust bits set then there's no reason to include a root certificate in the shared library. Instead, it is better to remove them, to reduce confusion, and to make space for more useful data (e.g. pre-caching intermediates that are commonly missing in servers' cert chains so that AIA fetching is not/less necessary).
With the root certificate still in the NSS database, old E-mail messages and old software installer files can still be verified if the user edits the trust bits to turn them back on.  This is a reason not to remove the certificate even if trust bits are off.
What is the status on this item? Thank you.
Closed: 5 years ago
Resolution: --- → FIXED
Product: → NSS
You need to log in before you can comment on or make changes to this bug.