Closed
Bug 313942
Opened 19 years ago
Closed 18 years ago
Add Netlock Class QA root CA certificate
Categories
(CA Program :: CA Certificate Root Program, task)
CA Program
CA Certificate Root Program
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: varga.viktor, Assigned: hecker)
References
Details
Attachments
(2 files)
(deleted),
application/x-x509-ca-cert
|
Details | |
(deleted),
patch
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050803 Firefox/1.0+
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050803 Firefox/1.0+
A few months ago, the Netlock Class QA root certificate was submitted to add it to the certificate repository.
But there was some change in hungarian regulations, and we should switch because these to the other root CA certificate profile (there was some predefined root CA certificate profile) to follow these regulations.
So, the actually used root CA certificate has different extension, follwing the regulations, and we would like to ask you to change it.
(previous request is here: https://bugzilla.mozilla.org/show_bug.cgi?id=279728 )
(maybe open bugs are closable regarding our previous request, because the extensions which cause bugs, are not critical now.)
(this problem was reported to the RFC maintainer, qcStatement should be not critical)
The new Netlock Class QA certificate is the following.
(Purposes are the same.)
Best regards. Viktor Varga
-----BEGIN CERTIFICATE-----
MIIG0TCCBbmgAwIBAgIBezANBgkqhkiG9w0BAQUFADCByTELMAkGA1UEBhMCSFUx
ETAPBgNVBAcTCEJ1ZGFwZXN0MScwJQYDVQQKEx5OZXRMb2NrIEhhbG96YXRiaXp0
b25zYWdpIEtmdC4xGjAYBgNVBAsTEVRhbnVzaXR2YW55a2lhZG9rMUIwQAYDVQQD
EzlOZXRMb2NrIE1pbm9zaXRldHQgS296amVneXpvaSAoQ2xhc3MgUUEpIFRhbnVz
aXR2YW55a2lhZG8xHjAcBgkqhkiG9w0BCQEWD2luZm9AbmV0bG9jay5odTAeFw0w
MzAzMzAwMTQ3MTFaFw0yMjEyMTUwMTQ3MTFaMIHJMQswCQYDVQQGEwJIVTERMA8G
A1UEBxMIQnVkYXBlc3QxJzAlBgNVBAoTHk5ldExvY2sgSGFsb3phdGJpenRvbnNh
Z2kgS2Z0LjEaMBgGA1UECxMRVGFudXNpdHZhbnlraWFkb2sxQjBABgNVBAMTOU5l
dExvY2sgTWlub3NpdGV0dCBLb3pqZWd5em9pIChDbGFzcyBRQSkgVGFudXNpdHZh
bnlraWFkbzEeMBwGCSqGSIb3DQEJARYPaW5mb0BuZXRsb2NrLmh1MIIBIjANBgkq
hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx1Ilstg91IRVCacbvWy5FPSKAtt2/Goq
eKvld/Bu4IwjZ9ulZJm53QE+b+8tmjwi8F3JV6BVQX/yQ15YglMxZc4e8ia6AFQe
r7C8HORSjKAyr7c3sVNnaHRnUPYtLmTeriZ539+Zhqurf4XsoPuAzPS4DB6TRWO5
3Lhbm+1bOdRfYrCnjnxmOCyqsQhjF2d9zL2z8cM/z1A57dEZgxXbhxInlrfa6uWd
vLrqOU+L73Sa58XQ0uqGURzk/mQIKAR5BevKxXEOC++r6uwSEaEYBTJp0QwsGj0l
mT+1fMptsK6ZmfoIYOcZwvK9UdPM0wKswREMgM6r3JSda6M5UzrWhQIDAMV9o4IC
wDCCArwwEgYDVR0TAQH/BAgwBgEB/wIBBDAOBgNVHQ8BAf8EBAMCAQYwggJ1Bglg
hkgBhvhCAQ0EggJmFoICYkZJR1lFTEVNISBFemVuIHRhbnVzaXR2YW55IGEgTmV0
TG9jayBLZnQuIE1pbm9zaXRldHQgU3pvbGdhbHRhdGFzaSBTemFiYWx5emF0YWJh
biBsZWlydCBlbGphcmFzb2sgYWxhcGphbiBrZXN6dWx0LiBBIG1pbm9zaXRldHQg
ZWxla3Ryb25pa3VzIGFsYWlyYXMgam9naGF0YXMgZXJ2ZW55ZXN1bGVzZW5laywg
dmFsYW1pbnQgZWxmb2dhZGFzYW5hayBmZWx0ZXRlbGUgYSBNaW5vc2l0ZXR0IFN6
b2xnYWx0YXRhc2kgU3phYmFseXphdGJhbiwgYXogQWx0YWxhbm9zIFN6ZXJ6b2Rl
c2kgRmVsdGV0ZWxla2JlbiBlbG9pcnQgZWxsZW5vcnplc2kgZWxqYXJhcyBtZWd0
ZXRlbGUuIEEgZG9rdW1lbnR1bW9rIG1lZ3RhbGFsaGF0b2sgYSBodHRwczovL3d3
dy5uZXRsb2NrLmh1L2RvY3MvIGNpbWVuIHZhZ3kga2VyaGV0b2sgYXogaW5mb0Bu
ZXRsb2NrLm5ldCBlLW1haWwgY2ltZW4uIFdBUk5JTkchIFRoZSBpc3N1YW5jZSBh
bmQgdGhlIHVzZSBvZiB0aGlzIGNlcnRpZmljYXRlIGFyZSBzdWJqZWN0IHRvIHRo
ZSBOZXRMb2NrIFF1YWxpZmllZCBDUFMgYXZhaWxhYmxlIGF0IGh0dHBzOi8vd3d3
Lm5ldGxvY2suaHUvZG9jcy8gb3IgYnkgZS1tYWlsIGF0IGluZm9AbmV0bG9jay5u
ZXQwHQYDVR0OBBYEFAlqYhaSsFq7VQ7LdTI6MuWyIckoMA0GCSqGSIb3DQEBBQUA
A4IBAQCRalCc23iBmz+LQuM7/KbD7kPgz/PigDVJRXYC4uMvBcXxKufAQTPGtpvQ
MznNwNuhrWw3AkxYQTvyl5LGSKjN5Yo5iWH5Upfpvfb5lHTocQ68d4bDBsxafEp+
NFAwLvt/MpqNPfMgW/hqyobzMUwsWYACff44yTB1HLdV47yfuqhthCgFdbOLDcCR
VCHnpgu0mfVRQdzNo0ci2ccBgcTcR08m6h/t280NmPSjnLRzMkqWmf68f8glWPhY
83ZmiVSkpj7EUFy6iRiCdUgh0k8T6GB+B3bbELVR5qq5aKrN9p2QdRLqOBrKROi3
macqaJVmlaut74nLYKkGEsaUR+ko
-----END CERTIFICATE-----
Reproducible: Always
Steps to Reproduce:
Cannot reproduce, because new request.
Comment 1•19 years ago
|
||
Changed product to mozilla.org:CA Certificates.
Frank, this is a request to change a previously approved
root CA cert.
Viktor: to doublecheck, do you want us to remove the
old NetLock CAs? If so, which ones? There are three
of them in Firefox 1.5 Beta 2: Class A, Class B, and
Class C.
Assignee: wtchang → hecker
Status: UNCONFIRMED → NEW
Component: Libraries → CA Certificates
Ever confirmed: true
Product: NSS → mozilla.org
QA Contact: jason.m.reid
Version: unspecified → other
Assignee | ||
Comment 2•19 years ago
|
||
If I recall correctly, the Netlock Class QA root certificate was never added to NSS, because it had an extension restricting it for use in certain circumstances (I think for transactions above a certain monetary value), and we had (and still have) no way in the browser UI to implement this restriction. (I can't remember the bug number on this, and have to leave work right now; ask Nelson Bolyward about it, I think he knows more.)
I don't know if this extension issue is still relevant. If this is no longer an issue then I have no objection to adding the Netlock Class QA certificate along with the other Netlock certificates already in NSS.
Comment 3•19 years ago
|
||
Frank, you are right. The Netlock Class QA root certificate was
never added to NSS. My previous comment is wrong. (I thought
"Class QA" was a typo for "Class A".)
This is a request to change a root CA cert that couldn't be added.
Reporter | ||
Comment 4•19 years ago
|
||
(In reply to comment #3)
> Frank, you are right. The Netlock Class QA root certificate was
> never added to NSS. My previous comment is wrong. (I thought
> "Class QA" was a typo for "Class A".)
>
> This is a request to change a root CA cert that couldn't be added.
Yes, I want to add the QA cert, which is only in the queue, because the qcStatement problem.
Reporter | ||
Comment 5•19 years ago
|
||
It is avaible from the IE/Windows with the root update component.
You can check it, how it is downloading, when you install my certificate to your Windows.
From the following link, you can download my certificate, with the option "Tanusitvany letoltese".
http://www.netlock.hu/index.cgi?sid=000000000000000000&tid=m39L7CzWQoV5JZGKt2bwquV4P&typname=Szem%c3%a9lyes%20v%c3%a9gfelhaszn%c3%a1l%c3%b3i&caname=NetLock%20Minositett%20Kozjegyzoi%20(Class%20QA)%20Tanusitvanykiado&lang=HU&tem=ANONYMOUS/kereses/tanusit_adatok.tem&minositett
If you install it, then the crypt32 will access the Microsoft site, and downloads the regarding root certificate.
If you installed the root ca cert it manualy previously, then you should remove it before this to view the changes.
Can you tell me some deadline, when will it avaible from Mozilla product line?
Comment 6•19 years ago
|
||
(In reply to comment #2)
> If I recall correctly, the Netlock Class QA root certificate was never added
> to NSS, because it had an extension restricting it for use in certain
> circumstances (I think for transactions above a certain monetary value), and
> we had (and still have) no way in the browser UI to implement this
> restriction. (I can't remember the bug number on this, and have to leave
> work right now; ask Nelson Bolyward about it, I think he knows more.)
It is bug 277797, still open.
> I don't know if this extension issue is still relevant.
Yes it is. mozilla & NSS still have no way to deal with this extension,
and if it is marked critical, NSS will not honor that certificate.
However, as I understand it, Varga is saying that this extension is NOT
marked critical in the new replacement cert.
We should double check that this new cert works in manually imported, and
also double-check that we're getting the real CA cert from the right
person here, by some other communications channel.
Reporter | ||
Comment 7•19 years ago
|
||
(In reply to comment #6)
> (In reply to comment #2)
> > If I recall correctly, the Netlock Class QA root certificate was never added
> > to NSS, because it had an extension restricting it for use in certain
> > circumstances (I think for transactions above a certain monetary value), and
> > we had (and still have) no way in the browser UI to implement this
> > restriction. (I can't remember the bug number on this, and have to leave
> > work right now; ask Nelson Bolyward about it, I think he knows more.)
>
> It is bug 277797, still open.
>
> > I don't know if this extension issue is still relevant.
>
> Yes it is. mozilla & NSS still have no way to deal with this extension,
> and if it is marked critical, NSS will not honor that certificate.
> However, as I understand it, Varga is saying that this extension is NOT
> marked critical in the new replacement cert.
Yes, it is true. This extension in this root CA certificate is NOT marked critical.
> We should double check that this new cert works in manually imported, and
> also double-check that we're getting the real CA cert from the right
> person here, by some other communications channel.
You can check the root certificate is the same, if you try under Windows the previously mentioned steps.
The root certificate is avaible trough the Microsoft Root Update Component.
Comment 8•19 years ago
|
||
Frank, I'm now ready to add the new Netlock Class QA
root certificate. I verified that it uses a non-critical
"Netscape Certificate Comment" certificate extension. I
also verified that the certificate file posted in this
bug is the same as the certificate downloaded by the
Update Root Certificates component of Windows XP SP2.
Comment 9•19 years ago
|
||
Generated with the command:
addbuiltin -n "NetLock Qualified (Class QA) Root" -t c,C,C < netlock.der
Assignee | ||
Comment 10•19 years ago
|
||
Feel free to proceed with this change.
Comment 11•19 years ago
|
||
Wan-Teh, when this patch is applied, and this new cert is displayed in
PSM's cert manager, does it have the same problem as the cert named
"UTN-USERFirst-Client Authentication and Email" ? That is, Does PSM say
"Could not verify this certificate because the issuer is not trusted." ?
Updated•18 years ago
|
OS: Windows XP → All
Hardware: PC → All
Summary: Change request - change Netlock Class QA certificate → Add Netlock Class QA root CA certificate
Comment 12•18 years ago
|
||
According to Bug 340183, this cert was added to NSS 3.11.2,
so I am marking this request resolved/fixed.
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Updated•8 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•