Closed Bug 967175 Opened 12 years ago Closed 12 years ago

Remove EV entries for ValiCert roots removed in bug 936304

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86_64
Windows 8.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox29 --- fixed
firefox30 --- fixed

People

(Reporter: briansmith, Assigned: briansmith)

References

Details

Attachments

(1 file)

remove-valicert-ev.patch
2.49 KB, patch
kathleen.a.wilson
: review+
Sylvestre
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Kathleen, besides removing these entries, we should also remove the EV entries for all/any other 1024-bit roots, since they can't meet the EV requirements (2048 keys are required), right?
Attachment #8369619 - Flags: review?(kwilson)
Comment on attachment 8369619 [details] [diff] [review] remove-valicert-ev.patch Review of attachment 8369619 [details] [diff] [review]: ----------------------------------------------------------------- Yes, we need to remove the EV entries for the "ValiCert Class 2 Policy Validation Authority" root, which is being removed from NSS in Bug #936304. As you noticed, it had two EV policy OIDs associated with it. I just checked through the spreadsheet of included roots (http://www.mozilla.org/en-US/about/governance/policies/security-group/certs/included/) and found that none of the other 1024-bit root certs were enabled for EV. Thanks!
Attachment #8369619 - Flags: review?(kwilson) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/244ec084065b
Status: NEW → ASSIGNED
Target Milestone: --- → mozilla30
Brian, thanks for catching this issue and fixing it. One question though... This root cert is supposed to be removed in FF29. What will happen if the root cert is removed, but the EV entries are still there?
Comment on attachment 8369619 [details] [diff] [review] remove-valicert-ev.patch [Approval Request Comment] Bug caused by (feature/regressing bug #): This needs to be uplifted to Firefox 29 so that we can uplift NSS 3.16 to Firefox 29. We have to uplift NSS 3.16 to Firefox 29 because we'd promised that we would remove these root certificates (and others) in Firefox 29. User impact if declined: Cannot remove root certificates with weak keys. Testing completed (on m-c, etc.): This problem was caught by automated tests (test_ev_certs.js, in particular). This just landed on mozilla-inbound a few minutes ago. Risk to taking this patch (and alternatives if risky): This is a very safe change. At worst, some certificates that looked like EV certificates previously will no longer look like EV certificates. However, those certificates should never have looked like EV certificates anyway, because the root was using a weak key, which isn't allowed for EV certificates. String or IDL/UUID changes made by this patch: None.
Attachment #8369619 - Flags: approval-mozilla-aurora?
(In reply to Kathleen Wilson from comment #3) > Brian, thanks for catching this issue and fixing it. One question though... > > This root cert is supposed to be removed in FF29. > What will happen if the root cert is removed, but the EV entries are still > there? This bug has to be fixed in Firefox 29 before NSS 3.16 can be landed in Firefox 29. Otherwise, Firefox debug builds will refuse to start up. (This is how I noticed the problem in the first place.)
Attachment #8369619 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/244ec084065b
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: