This bug requests inclusion in the NSS root certificate store of the following 3 certificates, owned by Comodo. Friendly name: COMODO RSA Certification Authority Cert location: http://crt.comodoca.com/COMODORSACertificationAuthority.crt SHA1 Fingerprint: AF:E5:D2:44:A8:D1:19:42:30:FF:47:9F:E2:F8:97:BB:CD:7A:8C:B4 Trust flags: Websites, Email, Code Signing Test URL: https://comodorsacertificationauthority-ev.comodoca.com Friendly name: USERTrust RSA Certification Authority Cert location: http://crt.usertrust.com/USERTrustRSACertificationAuthority.crt SHA1 Fingerprint: 2B:8F:1B:57:33:0D:BB:A2:D0:7A:6C:51:F7:0E:E9:0D:DA:B9:AD:8E Trust flags: Websites, Email, Code Signing Test URL: https://usertrustrsacertificationauthority-ev.comodoca.com Friendly name: USERTrust ECC Certification Authority Cert location: http://crt.usertrust.com/USERTrustECCCertificationAuthority.crt SHA1 Fingerprint: D1:CB:CA:5D:B2:D5:2A:7F:69:3B:67:4D:E5:F0:5A:1D:0C:95:7D:F0 Trust flags: Websites, Email, Code Signing Test URL: https://usertrustecccertificationauthority-ev.comodoca.com This CA has been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion in bug #606947. The next steps are as follows: 1) A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificates have been attached. 2) A Mozilla representative creates a patch with the new certificates, and provides a special test version of Firefox. 3) A representative of the CA uses the test version of Firefox to confirm (by adding a comment in this bug) that the certificates have been correctly imported and that websites work correctly. 4) The Mozilla representative requests that another Mozilla representative review the patch. 5) The Mozilla representative adds (commits) the patch to NSS, then closes this bug as RESOLVED FIXED. 6) At some time after that, various Mozilla products will move to using a version of NSS which contains the certificates. This process is mostly under the control of the release drivers for those products.

Rob, Please see step #1 above.

What does rollover mean in this context?

(In reply to Kai Engert (:kaie) from comment #5) > What does rollover mean in this context? That these are the renewed root certs that will eventually replace currently-included root certs... The new SHA-384 “COMODO RSA Certification Authority” root certificate will eventually replace the SHA-1 “COMODO Certification Authority” root certificate that was included via Bugzilla Bug #401587. The new SHA-384 “USERTrust RSA Certification Authority” root certificate will eventually replace the SHA-1 “UTN-USERFirst-Hardware”, “UTN - DATACorp SGC”, “UTN-USERFirst-Client Authentication and Email”, and “UTN-USERFirst-Object” root certificates that were included via Bugzilla Bug #242610. The “USERTrust ECC Certification Authority” root certificate is the ECC version of the “USERTrust RSA Certification Authority” root certificate.

(In reply to Kathleen Wilson from comment #4) > Rob, Please see step #1 above. Thanks Kathleen. I confirm that all the data in this bug is correct, and that the correct certificates have been attached.

Test builds, which add all the roots, can be found here: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/kaie@kuix.de-647a7fdc0b5a/

Thanks Kai. I confirm that this test build adds the 3 Comodo rollover roots correctly. The test pages mentioned in comment 0 now load correctly. Bug 1062600 is where these roots will be EV-enabled, so I was not expecting to see the EV indicator for those test pages with this test build. However, I do see the EV indicator on https://comodorsacertificationauthority-ev.comodoca.com. Even after deleting the Software Security Device that is the cross-certificate for "COMODO RSA Certification Authority" signed by "AddTrust External CA Root" and restarting the test build, the EV indicator is still there. Any thoughts?

Rob, I don't see EV status, with none of the test URLs. I used a fresh profile for testing. This page explains how to work with separate Firefox profiles: https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles If you used a pre-existing profile for testing, it might contain a cached intermediate, that allows a chain to one of your existing EV-trusted roots? If you're still worried about a false positive, then we need to ask the PSM people to investigate, as they have developed their own code for path building.

Using one of my preexisting test profiles, which also has lots of other intermediates cached, I see EV status with the test site. Cert viewer shows a chain to the AddTrust External CA Root. I also confirm, after removing the interediate and restarting, the site is still shown with EV status - even after reloading. It seems that EV sites survive with EV status in the Firefox web cache, without revalidating the status at later times. I used the privacy preferences to clear the history, and only after that the EV status for the site was gone. I've filed separate bug 1088622 for this issue.

(In reply to Kai Engert (:kaie) from comment #11) <snip> > I've filed separate bug 1088622 for this issue. Kai, thanks for diagnosing that.