User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050803 Firefox/1.0+ Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050803 Firefox/1.0+ A few months ago, the Netlock Class QA root certificate was submitted to add it to the certificate repository. But there was some change in hungarian regulations, and we should switch because these to the other root CA certificate profile (there was some predefined root CA certificate profile) to follow these regulations. So, the actually used root CA certificate has different extension, follwing the regulations, and we would like to ask you to change it. (previous request is here: https://bugzilla.mozilla.org/show_bug.cgi?id=279728 ) (maybe open bugs are closable regarding our previous request, because the extensions which cause bugs, are not critical now.) (this problem was reported to the RFC maintainer, qcStatement should be not critical) The new Netlock Class QA certificate is the following. (Purposes are the same.) Best regards. Viktor Varga -----BEGIN CERTIFICATE----- MIIG0TCCBbmgAwIBAgIBezANBgkqhkiG9w0BAQUFADCByTELMAkGA1UEBhMCSFUx ETAPBgNVBAcTCEJ1ZGFwZXN0MScwJQYDVQQKEx5OZXRMb2NrIEhhbG96YXRiaXp0 b25zYWdpIEtmdC4xGjAYBgNVBAsTEVRhbnVzaXR2YW55a2lhZG9rMUIwQAYDVQQD EzlOZXRMb2NrIE1pbm9zaXRldHQgS296amVneXpvaSAoQ2xhc3MgUUEpIFRhbnVz aXR2YW55a2lhZG8xHjAcBgkqhkiG9w0BCQEWD2luZm9AbmV0bG9jay5odTAeFw0w MzAzMzAwMTQ3MTFaFw0yMjEyMTUwMTQ3MTFaMIHJMQswCQYDVQQGEwJIVTERMA8G A1UEBxMIQnVkYXBlc3QxJzAlBgNVBAoTHk5ldExvY2sgSGFsb3phdGJpenRvbnNh Z2kgS2Z0LjEaMBgGA1UECxMRVGFudXNpdHZhbnlraWFkb2sxQjBABgNVBAMTOU5l dExvY2sgTWlub3NpdGV0dCBLb3pqZWd5em9pIChDbGFzcyBRQSkgVGFudXNpdHZh bnlraWFkbzEeMBwGCSqGSIb3DQEJARYPaW5mb0BuZXRsb2NrLmh1MIIBIjANBgkq hkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAx1Ilstg91IRVCacbvWy5FPSKAtt2/Goq eKvld/Bu4IwjZ9ulZJm53QE+b+8tmjwi8F3JV6BVQX/yQ15YglMxZc4e8ia6AFQe r7C8HORSjKAyr7c3sVNnaHRnUPYtLmTeriZ539+Zhqurf4XsoPuAzPS4DB6TRWO5 3Lhbm+1bOdRfYrCnjnxmOCyqsQhjF2d9zL2z8cM/z1A57dEZgxXbhxInlrfa6uWd vLrqOU+L73Sa58XQ0uqGURzk/mQIKAR5BevKxXEOC++r6uwSEaEYBTJp0QwsGj0l mT+1fMptsK6ZmfoIYOcZwvK9UdPM0wKswREMgM6r3JSda6M5UzrWhQIDAMV9o4IC wDCCArwwEgYDVR0TAQH/BAgwBgEB/wIBBDAOBgNVHQ8BAf8EBAMCAQYwggJ1Bglg hkgBhvhCAQ0EggJmFoICYkZJR1lFTEVNISBFemVuIHRhbnVzaXR2YW55IGEgTmV0 TG9jayBLZnQuIE1pbm9zaXRldHQgU3pvbGdhbHRhdGFzaSBTemFiYWx5emF0YWJh biBsZWlydCBlbGphcmFzb2sgYWxhcGphbiBrZXN6dWx0LiBBIG1pbm9zaXRldHQg ZWxla3Ryb25pa3VzIGFsYWlyYXMgam9naGF0YXMgZXJ2ZW55ZXN1bGVzZW5laywg dmFsYW1pbnQgZWxmb2dhZGFzYW5hayBmZWx0ZXRlbGUgYSBNaW5vc2l0ZXR0IFN6 b2xnYWx0YXRhc2kgU3phYmFseXphdGJhbiwgYXogQWx0YWxhbm9zIFN6ZXJ6b2Rl c2kgRmVsdGV0ZWxla2JlbiBlbG9pcnQgZWxsZW5vcnplc2kgZWxqYXJhcyBtZWd0 ZXRlbGUuIEEgZG9rdW1lbnR1bW9rIG1lZ3RhbGFsaGF0b2sgYSBodHRwczovL3d3 dy5uZXRsb2NrLmh1L2RvY3MvIGNpbWVuIHZhZ3kga2VyaGV0b2sgYXogaW5mb0Bu ZXRsb2NrLm5ldCBlLW1haWwgY2ltZW4uIFdBUk5JTkchIFRoZSBpc3N1YW5jZSBh bmQgdGhlIHVzZSBvZiB0aGlzIGNlcnRpZmljYXRlIGFyZSBzdWJqZWN0IHRvIHRo ZSBOZXRMb2NrIFF1YWxpZmllZCBDUFMgYXZhaWxhYmxlIGF0IGh0dHBzOi8vd3d3 Lm5ldGxvY2suaHUvZG9jcy8gb3IgYnkgZS1tYWlsIGF0IGluZm9AbmV0bG9jay5u ZXQwHQYDVR0OBBYEFAlqYhaSsFq7VQ7LdTI6MuWyIckoMA0GCSqGSIb3DQEBBQUA A4IBAQCRalCc23iBmz+LQuM7/KbD7kPgz/PigDVJRXYC4uMvBcXxKufAQTPGtpvQ MznNwNuhrWw3AkxYQTvyl5LGSKjN5Yo5iWH5Upfpvfb5lHTocQ68d4bDBsxafEp+ NFAwLvt/MpqNPfMgW/hqyobzMUwsWYACff44yTB1HLdV47yfuqhthCgFdbOLDcCR VCHnpgu0mfVRQdzNo0ci2ccBgcTcR08m6h/t280NmPSjnLRzMkqWmf68f8glWPhY 83ZmiVSkpj7EUFy6iRiCdUgh0k8T6GB+B3bbELVR5qq5aKrN9p2QdRLqOBrKROi3 macqaJVmlaut74nLYKkGEsaUR+ko -----END CERTIFICATE----- Reproducible: Always Steps to Reproduce: Cannot reproduce, because new request.

Changed product to mozilla.org:CA Certificates. Frank, this is a request to change a previously approved root CA cert. Viktor: to doublecheck, do you want us to remove the old NetLock CAs? If so, which ones? There are three of them in Firefox 1.5 Beta 2: Class A, Class B, and Class C.

If I recall correctly, the Netlock Class QA root certificate was never added to NSS, because it had an extension restricting it for use in certain circumstances (I think for transactions above a certain monetary value), and we had (and still have) no way in the browser UI to implement this restriction. (I can't remember the bug number on this, and have to leave work right now; ask Nelson Bolyward about it, I think he knows more.) I don't know if this extension issue is still relevant. If this is no longer an issue then I have no objection to adding the Netlock Class QA certificate along with the other Netlock certificates already in NSS.

Frank, you are right. The Netlock Class QA root certificate was never added to NSS. My previous comment is wrong. (I thought "Class QA" was a typo for "Class A".) This is a request to change a root CA cert that couldn't be added.

(In reply to comment #3) > Frank, you are right. The Netlock Class QA root certificate was > never added to NSS. My previous comment is wrong. (I thought > "Class QA" was a typo for "Class A".) > > This is a request to change a root CA cert that couldn't be added. Yes, I want to add the QA cert, which is only in the queue, because the qcStatement problem.

It is avaible from the IE/Windows with the root update component. You can check it, how it is downloading, when you install my certificate to your Windows. From the following link, you can download my certificate, with the option "Tanusitvany letoltese". http://www.netlock.hu/index.cgi?sid=000000000000000000&tid=m39L7CzWQoV5JZGKt2bwquV4P&typname=Szem%c3%a9lyes%20v%c3%a9gfelhaszn%c3%a1l%c3%b3i&caname=NetLock%20Minositett%20Kozjegyzoi%20(Class%20QA)%20Tanusitvanykiado&lang=HU&tem=ANONYMOUS/kereses/tanusit_adatok.tem&minositett If you install it, then the crypt32 will access the Microsoft site, and downloads the regarding root certificate. If you installed the root ca cert it manualy previously, then you should remove it before this to view the changes. Can you tell me some deadline, when will it avaible from Mozilla product line?

(In reply to comment #2) > If I recall correctly, the Netlock Class QA root certificate was never added > to NSS, because it had an extension restricting it for use in certain > circumstances (I think for transactions above a certain monetary value), and > we had (and still have) no way in the browser UI to implement this > restriction. (I can't remember the bug number on this, and have to leave > work right now; ask Nelson Bolyward about it, I think he knows more.) It is bug 277797, still open. > I don't know if this extension issue is still relevant. Yes it is. mozilla & NSS still have no way to deal with this extension, and if it is marked critical, NSS will not honor that certificate. However, as I understand it, Varga is saying that this extension is NOT marked critical in the new replacement cert. We should double check that this new cert works in manually imported, and also double-check that we're getting the real CA cert from the right person here, by some other communications channel.

(In reply to comment #6) > (In reply to comment #2) > > If I recall correctly, the Netlock Class QA root certificate was never added > > to NSS, because it had an extension restricting it for use in certain > > circumstances (I think for transactions above a certain monetary value), and > > we had (and still have) no way in the browser UI to implement this > > restriction. (I can't remember the bug number on this, and have to leave > > work right now; ask Nelson Bolyward about it, I think he knows more.) > > It is bug 277797, still open. > > > I don't know if this extension issue is still relevant. > > Yes it is. mozilla & NSS still have no way to deal with this extension, > and if it is marked critical, NSS will not honor that certificate. > However, as I understand it, Varga is saying that this extension is NOT > marked critical in the new replacement cert. Yes, it is true. This extension in this root CA certificate is NOT marked critical. > We should double check that this new cert works in manually imported, and > also double-check that we're getting the real CA cert from the right > person here, by some other communications channel. You can check the root certificate is the same, if you try under Windows the previously mentioned steps. The root certificate is avaible trough the Microsoft Root Update Component.

Frank, I'm now ready to add the new Netlock Class QA root certificate. I verified that it uses a non-critical "Netscape Certificate Comment" certificate extension. I also verified that the certificate file posted in this bug is the same as the certificate downloaded by the Update Root Certificates component of Windows XP SP2.

Generated with the command: addbuiltin -n "NetLock Qualified (Class QA) Root" -t c,C,C < netlock.der

Feel free to proceed with this change.

Wan-Teh, when this patch is applied, and this new cert is displayed in PSM's cert manager, does it have the same problem as the cert named "UTN-USERFirst-Client Authentication and Email" ? That is, Does PSM say "Could not verify this certificate because the issuer is not trusted." ?

According to Bug 340183, this cert was added to NSS 3.11.2, so I am marking this request resolved/fixed.