Kathleen, to work around the "classic" NSS path building behaviour you
observed yesterday, we will issue another cross-certificate to
"USERTrust Legacy Secure Server CA", with a newer notBefore date, from
our "AddTrust External CA Root" built-in root.
Then, you can include this new cross-certificate in NSS instead of the
one issued by the 2048-bit Entrust built-in root.
We'll pull out all the stops and get this new cross-certificate issued
today.
Kai, just in case you were planning to tag NSS 3.16.4 within the next
few hours...please wait, if you can. :-)
On 04/08/14 23:52, Kathleen Wilson wrote:
On 7/31/14, 1:17 PM, Kathleen Wilson wrote:
Here's what we are doing for this first batch of root changes that was
made in NSS 3.16.3, and is currently in Firefox 32, which is in Beta.
NSS 3.16.4 will be created and included in Firefox 32. It will only
contain these two changes:
1) https://bugzilla.mozilla.org/show_bug.cgi?id=1045189 -- Add the
2048-bit version of the "USERTrust Legacy Secure Server CA" intermediate
cert to NSS, this intermediate cert expires in November 2015.
It turns out that including the 2048-bit version of the cross-signed
intermediate certificate does not help NSS at all. It would only help
Firefox, and would cause confusion.
https://bugzilla.mozilla.org/show_bug.cgi?id=1045189#c13
--
old intermediate:
Subject: "CN=USERTrust Legacy Secure Server CA,O=The USERTRUST
Network,L=Salt Lake City,ST=UT,C=US"
Issuer: "CN=Entrust.net Secure Server Certification Authority,OU=(c)
1999 Entrust.net Limited,OU=www.entrust.net/CPS incorp. by ref. (limits
liab.),O=Entrust.net,C=US"
Serial Number: 1184831531 (0x469f182b)
Validity:
Not Before: Thu Nov 26 20:33:13 2009
Not After : Sun Nov 01 04:00:00 2015
the replacement intermediate::
Subject: "CN=USERTrust Legacy Secure Server CA,O=The USERTRUST
Network,L=Salt Lake City,ST=UT,C=US"
Issuer: "CN=Entrust.net Certification Authority (2048),OU=(c) 1999
Entrust.net Limited,OU=www.entrust.net/CPS_2048 incorp. by ref. (limits
liab.),O=Entrust.net"
Serial Number: 946071786 (0x3863e8ea)
Validity:
Not Before: Thu Nov 26 20:05:16 2009
Not After : Sun Nov 01 05:00:00 2015
When given the choice of the above two certificates for chaining, which
use an identical subject, the legacy NSS chaining code will try only one
path. It will decide which certificate to use based on the validity
time/date. It will pick the one that looks newer.
Unfortunately, the time/date of the certificates don't indicate a clear
"winner".
--
Kai tested this adding the 2048-bit intermediate cert to NSS, and found
that the 1024-bit intermediate cert was still used.
It works for Firefox, because mozilla::pkix keeps trying until it finds
a certificate path that works.
Therefore, it looks like including the 2048-bit intermediate cert
directly in NSS would cause different behavior depending on where the
root store is being used. This would lead to confusion.
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
Office Tel: +44.(0)1274.730505
Office Fax: +44.(0)1274.730909
www.comodo.com
COMODO CA Limited, Registered in England No. 04058690
Registered Office:
3rd Floor, 26 Office Village, Exchange Quay,
Trafford Road, Salford, Manchester M5 3EQ
This e-mail and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they are
addressed. If you have received this email in error please notify the
sender by replying to the e-mail containing this attachment. Replies to
this email may be monitored by COMODO for operational or business
reasons. Whilst every endeavour is taken to ensure that e-mails are free
from viruses, no liability can be accepted and the recipient is
requested to use their own virus checking software.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy