Re: 1H2020 Symantec Root Updates

2020-02-26 Thread Kathleen Wilson via dev-security-policy 

I have filed these three bugs.

=== Bug #1: Root Removal and Disable Email Trust Bit ===


https://bugzilla.mozilla.org/show_bug.cgi?id=1618402
Symantec root certs - removal and turning off Email trust bit


=== Bug #2: Set CKA_NSS_SERVER_DISTRUST_AFTER ===


https://bugzilla.mozilla.org/show_bug.cgi?id=1618404
Symantec root certs - Set CKA_NSS_SERVER_DISTRUST_AFTER



=== Bug #3: Set CKA_NSS_EMAIL_DISTRUST_AFTER  ===


https://bugzilla.mozilla.org/show_bug.cgi?id=1618407
Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER

Thanks,
Kathleen
___
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

1H2020 Symantec Root Updates

2020-02-18 Thread Kathleen Wilson via dev-security-policy 

All,

I plan to file the following Bugzilla Bugs for changes related to the 
distrust of the old Symantec root certificates.


=== Bug #1: Root Removal and Disable Email Trust Bit ===
This bug will request that the following changes be made to NSS.

1) Remove the following root certs.

- Subject: CN=Symantec Class 2 Public Primary Certification Authority - 
G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US

Certificate Serial Number: 34176512403BB756802D80CB7955A61E
SHA-1 Fingerprint: 6724902E4801B02296401046B4B1672CA975FD2B
SHA-256 Fingerprint: 
FE863D0822FE7A2353FA484D5924E875656D3DC9FB58771F6F616F9D571BC592


- Subject: CN=Symantec Class 1 Public Primary Certification Authority - 
G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US

Certificate Serial Number: 216E33A5CBD388A46F2907B4273CC4D8
SHA-1 Fingerprint: 84F2E3DD83133EA91D19527F02D729BFC15FE667
SHA-256 Fingerprint: 
363F3C849EAB03B0A2A0F636D7B86D04D3AC7FCFE26A0A9121AB9795F6E176DF


- Subject: CN=VeriSign Class 3 Public Primary Certification Authority - 
G3; OU=VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized 
use only; O=VeriSign, Inc.; C=US

Certificate Serial Number: 009B7E0649A33E62B9D5EE90487129EF57
SHA-1 Fingerprint: 132D0D45534B6997CDB2D5C339E25576609B5CC6
SHA-256 Fingerprint: 
EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244



2) Disable the Email trust bit for the following root certs.
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST

Subject: CN=GeoTrust Global CA; O=GeoTrust Inc.; C=US
Certificate Serial Number: 023456
SHA-1 Fingerprint: DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
SHA-256 Fingerprint: 
FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A


Subject: CN=GeoTrust Primary Certification Authority - G2; OU=(c) 2007 
GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US

Certificate Serial Number: 3CB2F4480A00E2FEEB243B5E603EC36B
SHA-1 Fingerprint: 8D1784D537F3037DEC70FE578B519A99E610D7B0
SHA-256 Fingerprint: 
5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766


- Subject: CN=GeoTrust Primary Certification Authority - G3; OU=(c) 2008 
GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US

Certificate Serial Number: 15AC6E9419B2794B41F627A9C3180F1F
SHA-1 Fingerprint: 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD
SHA-256 Fingerprint: 
B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4


- Subject: CN=GeoTrust Universal CA; O=GeoTrust Inc.; C=US
Certificate Serial Number: 01
SHA-1 Fingerprint: E621F3354379059A4B68309D8A2F74221587EC79
SHA-256 Fingerprint: 
A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912


- Subject: CN=GeoTrust Universal CA 2; O=GeoTrust Inc.; C=US
Certificate Serial Number: 01
SHA-1 Fingerprint: 379A197B418545350CA60369F33C2EAF474F2079
SHA-256 Fingerprint: 
A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B


- Subject: CN=VeriSign Class 3 Public Primary Certification Authority - 
G4; OU=VeriSign Trust Network, (c) 2007 VeriSign, Inc. - For authorized 
use only; O=VeriSign, Inc.; C=US

Certificate Serial Number: 2F80FE238C0E220F486712289187ACB3
SHA-1 Fingerprint: 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A
SHA-256 Fingerprint: 
69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79


- Subject: CN=VeriSign Class 3 Public Primary Certification Authority - 
G5; OU=VeriSign Trust Network, (c) 2006 VeriSign, Inc. - For authorized 
use only; O=VeriSign, Inc.; C=US

Certificate Serial Number: 18DAD19E267DE8BB4A2158CDCC6B3B4A
SHA-1 Fingerprint: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
SHA-256 Fingerprint: 
9ACFAB7E43C8D880D06B262A94D4B4659989C3D0CAF19BAF6405E41AB7DF


== END Bug #1 ==


=== Bug #2: Set CKA_NSS_SERVER_DISTRUST_AFTER ===
Set CKA_NSS_SERVER_DISTRUST_AFTER to the specified dates for the 
following root certificates. This distrusts TLS certs that have “Valid 
From” newer than the specified date. TLS certificates issued prior to 
this date will continue to be trusted until the certificate’s natural 
expiration or until we disable the trust bit or remove the root.

Dependency: https://bugzilla.mozilla.org/show_bug.cgi?id=1615438
Note: Distrust-After is a new capability that is being implemented in 
Firefox. Most of the dates below come from here:

https://www.microsoft.com/security/blog/2018/10/04/microsoft-partners-with-digicert-to-begin-deprecating-symantec-tls-certificates/
The "GeoTrust Universal CA 2" root is missing from that list, so I 
confirmed with DigiCert representatives to use 1/1/2020 as the server 
distrust after date for that root.


- Server Distrust After Date: 9/30/2018
Subject: CN=thawte Primary Root CA - G2; OU=(c) 2007 thawte, Inc. - For 
authorized use only; O=thawte, Inc.; C=US

Certificate Serial Number: 35FC265CD9844FC93D263D579BAED756
SHA-1 Fingerprint: AADBBC22238FC401A127BB38DDF41DDB089EF012
SHA-256 Fingerprint: 
A4310D50AF18A6447190372A86AFAF8B951FFB431D837F1E5688B45971ED1557


- Server Distrust After Date: 9/30/2018
Subject: