Closed Bug 921045 Opened 11 years ago Closed 11 years ago

Let's include the new update cert and remove the no longer used Equifax cert

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 28
Tracking Flags:
Tracking Status
firefox25 + wontfix
firefox26 + verified
firefox27 --- verified
firefox28 --- verified
firefox-esr24 26+ verified
b2g-v1.2 --- fixed

People

(Reporter: akeybl, Assigned: robert.strong.bugs)

References

Details

Attachments

(2 files, 1 obsolete file)

patch rev1
1.32 KB, patch
bbondy
: review+
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
lsblakk
: approval-mozilla-esr24+
Details | Diff | Splinter Review
patch for beta so it applies cleanly along with metro prefs
2.98 KB, patch
Details | Diff | Splinter Review 
Let's include the new update cert and remove the Digicert cert when possible
Hoping to land on mozilla-beta today, for our second to last beta
tracking-firefox25: ?+
This didn't get in in time, but I'd like us to keep this on the radar for resolution in 26 at least. It's just crufty to have the old cert lying around.
status-firefox25: --- → wontfix
tracking-firefox26: --- → +
Rob can you get a patch up for this?
status-firefox26: --- → affected
status-firefox27: --- → affected
status-firefox28: --- → affected
Flags: needinfo?(robert.bugzilla)
Attached patch patch rev1Splinter Review 
I moved the in use certificate to be the one in use and added the new certifcate.
Attachment #8336657 - Flags: review?(netzen)
Flags: needinfo?(robert.bugzilla)
If this is uplifted it would be a "good thing" to also uplift bug 928489 especially since it landed over a month ago which removes this requirement for Windows while also solving bugs with some proxies and some corporate network configuration.
Comment on attachment 8336657 [details] [diff] [review]
patch rev1

Review of attachment 8336657 [details] [diff] [review]:
-----------------------------------------------------------------

I have no way to validate the correctness of the issuers themselves, but the change itself looks logical to me.
Attachment #8336657 - Flags: review?(netzen) → review+
Summary: Let's include the new update cert and remove the Digicert cert → Let's include the new update cert and remove the no longer used Equifax cert
Pushed to fx-team
https://hg.mozilla.org/integration/fx-team/rev/5aad6e015530
Flags: in-testsuite-
Target Milestone: --- → Firefox 28
Comment on attachment 8336657 [details] [diff] [review]
patch rev1

This doesn't affect nightly or aurora since we are currently using aus4 for those channels.
[Approval Request Comment]
Bug caused by (feature/regressing bug #): the backup certificate could not be renewed (see bug 913918)
User impact if declined: No backup certificate if the current certificate is compromised. This can be mitigated with the add-on hotfix.
Testing completed (on m-c, etc.): Manually verified the digicert certificate.
Risk to taking this patch (and alternatives if risky): Small since this is for the backup certificate.
String or IDL/UUID changes made by this patch: None
Attachment #8336657 - Flags: approval-mozilla-beta?
Attachment #8336657 - Flags: approval-mozilla-aurora?
Attachment #8336657 - Flags: approval-mozilla-beta?
Attachment #8336657 - Flags: approval-mozilla-beta+
Attachment #8336657 - Flags: approval-mozilla-aurora?
Attachment #8336657 - Flags: approval-mozilla-aurora+
(In reply to Robert Strong [:rstrong] (do not email) from comment #8)
> Comment on attachment 8336657 [details] [diff] [review]
> patch rev1
> 
> This doesn't affect nightly or aurora since we are currently using aus4 for
> those channels.
> [Approval Request Comment]
> Bug caused by (feature/regressing bug #): the backup certificate could not
> be renewed (see bug 913918)
> User impact if declined: No backup certificate if the current certificate is
> compromised. This can be mitigated with the add-on hotfix.
> Testing completed (on m-c, etc.): Manually verified the digicert certificate.
> Risk to taking this patch (and alternatives if risky): Small since this is
> for the backup certificate.
> String or IDL/UUID changes made by this patch: None

Wait, why is this nominated for aurora approval when you say it doesn't affect aurora?
Flags: needinfo?(robert.bugzilla)
Attachment #8336657 - Flags: approval-mozilla-aurora+ → approval-mozilla-aurora?
To keep the code the same across branches as well as in case releng decides to revert back to aus3.
Flags: needinfo?(robert.bugzilla)
Attachment #8336657 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
I'll land this either later tonight or tomorrow depending on when the trees reopen
Attachment #8337198 - Attachment is obsolete: true
DO you want this backported to esr?
Flags: needinfo?(release-mgmt)
https://hg.mozilla.org/mozilla-central/rev/5aad6e015530
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Blocks: 942748
For completeness it can't hurt to have this avenue available to us on 24esr if we should need it - please do.
status-firefox-esr24: --- → affected
tracking-firefox-esr24: --- → 26+
Flags: needinfo?(release-mgmt)
Comment on attachment 8336657 [details] [diff] [review]
patch rev1

pre-approving for esr24 with the assumption that any major changes to the patch would be brought to our attention but otherwise this meets the same standards as the other channel approvals.
Attachment #8336657 - Flags: approval-mozilla-esr24+
Confirmed new certs in about:config prefs, for debug builds only. I have only confirmed the presence of these prefs, not the functionality enabled by them.
status-firefox26: fixedverified
status-firefox27: fixedverified
status-firefox28: fixedverified
status-firefox-esr24: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: