Closed
Bug 850740
Opened 11 years ago
Closed 9 years ago
Per Symantec's request, turn off trust bits for “TC TrustCenter Universal CA III” cert
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: kathleen.a.wilson, Assigned: kathleen.a.wilson)
References
Details
Symantec is not currently using the “TC TrustCenter Universal CA III” root certificate, so they have requested that the trust bits be turned off for now. All three trust bits may be turned off for the following root cert. CN = TC TrustCenter Universal CA III OU = TC TrustCenter Universal CA O = TC TrustCenter GmbH C = DE SHA1 Fingerprint: 96:56:CD:7B:57:96:98:95:D0:E1:41:46:68:06:FB:B8:C6:11:06:87
Assignee | ||
Comment 1•11 years ago
|
||
Rick Please confirm that the information above is correct.
Status: NEW → ASSIGNED
Comment 2•11 years ago
|
||
The above information is correct.
Comment 3•11 years ago
|
||
Why would we keep it in the root store if we're not going to trust it and it isn't being used and they already have MANY other roots that they can use? It seems like it is just wasting space if the trust bits are disabled.
Comment 4•11 years ago
|
||
Brian, the process for getting a root added takes a year or more. The process for flipping trust bits is much quicker. We have other roots, true, but they have different characteristics and they're not necessarily like this one.
Comment 5•11 years ago
|
||
Yes, but the reason for those delays is due to policy, not so much the adding/removing of the bits in the shared library. I think that if there are no trust bits set then there's no reason to include a root certificate in the shared library. Instead, it is better to remove them, to reduce confusion, and to make space for more useful data (e.g. pre-caching intermediates that are commonly missing in servers' cert chains so that AIA fetching is not/less necessary).
Comment 6•11 years ago
|
||
With the root certificate still in the NSS database, old E-mail messages and old software installer files can still be verified if the user edits the trust bits to turn them back on. This is a reason not to remove the certificate even if trust bits are off.
Comment 7•9 years ago
|
||
What is the status on this item? Thank you.
Assignee | ||
Updated•9 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•