1H2020 Symantec Root Updates

307 views
Skip to first unread message

Kathleen Wilson

unread,
Feb 18, 2020, 7:57:21 PM2/18/20
to mozilla-dev-s...@lists.mozilla.org
All,

I plan to file the following Bugzilla Bugs for changes related to the
distrust of the old Symantec root certificates.

=== Bug #1: Root Removal and Disable Email Trust Bit ===
This bug will request that the following changes be made to NSS.

1) Remove the following root certs.

- Subject: CN=Symantec Class 2 Public Primary Certification Authority -
G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US
Certificate Serial Number: 34176512403BB756802D80CB7955A61E
SHA-1 Fingerprint: 6724902E4801B02296401046B4B1672CA975FD2B
SHA-256 Fingerprint:
FE863D0822FE7A2353FA484D5924E875656D3DC9FB58771F6F616F9D571BC592

- Subject: CN=Symantec Class 1 Public Primary Certification Authority -
G4; OU=Symantec Trust Network; O=Symantec Corporation; C=US
Certificate Serial Number: 216E33A5CBD388A46F2907B4273CC4D8
SHA-1 Fingerprint: 84F2E3DD83133EA91D19527F02D729BFC15FE667
SHA-256 Fingerprint:
363F3C849EAB03B0A2A0F636D7B86D04D3AC7FCFE26A0A9121AB9795F6E176DF

- Subject: CN=VeriSign Class 3 Public Primary Certification Authority -
G3; OU=VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized
use only; O=VeriSign, Inc.; C=US
Certificate Serial Number: 009B7E0649A33E62B9D5EE90487129EF57
SHA-1 Fingerprint: 132D0D45534B6997CDB2D5C339E25576609B5CC6
SHA-256 Fingerprint:
EB04CF5EB1F39AFA762F2BB120F296CBA520C1B97DB1589565B81CB9A17B7244


2) Disable the Email trust bit for the following root certs.
CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_MUST_VERIFY_TRUST

Subject: CN=GeoTrust Global CA; O=GeoTrust Inc.; C=US
Certificate Serial Number: 023456
SHA-1 Fingerprint: DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
SHA-256 Fingerprint:
FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A

Subject: CN=GeoTrust Primary Certification Authority - G2; OU=(c) 2007
GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US
Certificate Serial Number: 3CB2F4480A00E2FEEB243B5E603EC36B
SHA-1 Fingerprint: 8D1784D537F3037DEC70FE578B519A99E610D7B0
SHA-256 Fingerprint:
5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766

- Subject: CN=GeoTrust Primary Certification Authority - G3; OU=(c) 2008
GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US
Certificate Serial Number: 15AC6E9419B2794B41F627A9C3180F1F
SHA-1 Fingerprint: 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD
SHA-256 Fingerprint:
B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4

- Subject: CN=GeoTrust Universal CA; O=GeoTrust Inc.; C=US
Certificate Serial Number: 01
SHA-1 Fingerprint: E621F3354379059A4B68309D8A2F74221587EC79
SHA-256 Fingerprint:
A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912

- Subject: CN=GeoTrust Universal CA 2; O=GeoTrust Inc.; C=US
Certificate Serial Number: 01
SHA-1 Fingerprint: 379A197B418545350CA60369F33C2EAF474F2079
SHA-256 Fingerprint:
A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B

- Subject: CN=VeriSign Class 3 Public Primary Certification Authority -
G4; OU=VeriSign Trust Network, (c) 2007 VeriSign, Inc. - For authorized
use only; O=VeriSign, Inc.; C=US
Certificate Serial Number: 2F80FE238C0E220F486712289187ACB3
SHA-1 Fingerprint: 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A
SHA-256 Fingerprint:
69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79

- Subject: CN=VeriSign Class 3 Public Primary Certification Authority -
G5; OU=VeriSign Trust Network, (c) 2006 VeriSign, Inc. - For authorized
use only; O=VeriSign, Inc.; C=US
Certificate Serial Number: 18DAD19E267DE8BB4A2158CDCC6B3B4A
SHA-1 Fingerprint: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
SHA-256 Fingerprint:
9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF

== END Bug #1 ==


=== Bug #2: Set CKA_NSS_SERVER_DISTRUST_AFTER ===
Set CKA_NSS_SERVER_DISTRUST_AFTER to the specified dates for the
following root certificates. This distrusts TLS certs that have “Valid
From” newer than the specified date. TLS certificates issued prior to
this date will continue to be trusted until the certificate’s natural
expiration or until we disable the trust bit or remove the root.
Dependency: https://bugzilla.mozilla.org/show_bug.cgi?id=1615438
Note: Distrust-After is a new capability that is being implemented in
Firefox. Most of the dates below come from here:
https://www.microsoft.com/security/blog/2018/10/04/microsoft-partners-with-digicert-to-begin-deprecating-symantec-tls-certificates/
The "GeoTrust Universal CA 2" root is missing from that list, so I
confirmed with DigiCert representatives to use 1/1/2020 as the server
distrust after date for that root.

- Server Distrust After Date: 9/30/2018
Subject: CN=thawte Primary Root CA - G2; OU=(c) 2007 thawte, Inc. - For
authorized use only; O=thawte, Inc.; C=US
Certificate Serial Number: 35FC265CD9844FC93D263D579BAED756
SHA-1 Fingerprint: AADBBC22238FC401A127BB38DDF41DDB089EF012
SHA-256 Fingerprint:
A4310D50AF18A6447190372A86AFAF8B951FFB431D837F1E5688B45971ED1557

- Server Distrust After Date: 9/30/2018
Subject: CN=GeoTrust Universal CA; O=GeoTrust Inc.; C=US
Certificate Serial Number: 01
SHA-1 Fingerprint: E621F3354379059A4B68309D8A2F74221587EC79
SHA-256 Fingerprint:
A0459B9F63B22559F5FA5D4C6DB3F9F72FF19342033578F073BF1D1B46CBB912

- Server Distrust After Date: 1/31/2019
Subject: CN=VeriSign Class 3 Public Primary Certification Authority -
G4; OU=VeriSign Trust Network, (c) 2007 VeriSign, Inc. - For authorized
use only; O=VeriSign, Inc.; C=US
Certificate Serial Number: 2F80FE238C0E220F486712289187ACB3
SHA-1 Fingerprint: 22D5D8DF8F0231D18DF79DB7CF8A2D64C93F6C3A
SHA-256 Fingerprint:
69DDD7EA90BB57C93E135DC85EA6FCD5480B603239BDC454FC758B2A26CF7F79

- Server Distrust After Date: 4/30/2019
Subject: CN=VeriSign Universal Root Certification Authority; OU=VeriSign
Trust Network, (c) 2008 VeriSign, Inc. - For authorized use only;
O=VeriSign, Inc.; C=US
Certificate Serial Number: 401AC46421B31321030EBBE4121AC51D
SHA-1 Fingerprint: 3679CA35668772304D30A5FB873B0FA77BB70D54
SHA-256 Fingerprint:
2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C

- Server Distrust After Date: 4/30/2019
Subject: CN=thawte Primary Root CA - G3; OU=Certification Services
Division, (c) 2008 thawte, Inc. - For authorized use only; O=thawte,
Inc.; C=US
Certificate Serial Number: 600197B746A7EAB4B49AD64B2FF790FB
SHA-1 Fingerprint: F18B538D1BE903B6A6F056435B171589CAF36BF2
SHA-256 Fingerprint:
4B03F45807AD70F21BFC2CAE71C9FDE4604C064CF5FFB686BAE5DBAAD7FDD34C

- Server Distrust After Date: 4/30/2019
Subject: CN=GeoTrust Primary Certification Authority - G3; OU=(c) 2008
GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US
Certificate Serial Number: 15AC6E9419B2794B41F627A9C3180F1F
SHA-1 Fingerprint: 039EEDB80BE7A03C6953893B20D2D9323A4C2AFD
SHA-256 Fingerprint:
B478B812250DF878635C2AA7EC7D155EAA625EE82916E2CD294361886CD1FBD4

- Server Distrust After Date: 4/30/2019
Subject: CN=GeoTrust Primary Certification Authority; O=GeoTrust Inc.; C=US
Certificate Serial Number: 18ACB56AFD69B6153A636CAFDAFAC4A1
SHA-1 Fingerprint: 323C118E1BF7B8B65254E2E2100DD6029037F096
SHA-256 Fingerprint:
37D51006C512EAAB626421F1EC8C92013FC5F82AE98EE533EB4619B8DEB4D06C

- Server Distrust After Date: 4/30/2019
Subject: CN=thawte Primary Root CA; OU=Certification Services Division,
(c) 2006 thawte, Inc. - For authorized use only; O=thawte, Inc.; C=US
Certificate Serial Number: 344ED55720D5EDEC49F42FCE37DB2B6D
SHA-1 Fingerprint: 91C6D6EE3E8AC86384E548C299295C756C817B81
SHA-256 Fingerprint:
8D722F81A9C113C0791DF136A2966DB26C950A971DB46B4199F4EA54B78BFB9F

- Server Distrust After Date: 4/30/2019
Subject: CN=VeriSign Class 3 Public Primary Certification Authority -
G5; OU=VeriSign Trust Network, (c) 2006 VeriSign, Inc. - For authorized
use only; O=VeriSign, Inc.; C=US
Certificate Serial Number: 18DAD19E267DE8BB4A2158CDCC6B3B4A
SHA-1 Fingerprint: 4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5
SHA-256 Fingerprint:
9ACFAB7E43C8D880D06B262A94DEEEE4B4659989C3D0CAF19BAF6405E41AB7DF

- Server Distrust After Date: 1/1/2020
Subject: CN=GeoTrust Primary Certification Authority - G2; OU=(c) 2007
GeoTrust Inc. - For authorized use only; O=GeoTrust Inc.; C=US
Certificate Serial Number: 3CB2F4480A00E2FEEB243B5E603EC36B
SHA-1 Fingerprint: 8D1784D537F3037DEC70FE578B519A99E610D7B0
SHA-256 Fingerprint:
5EDB7AC43B82A06A8761E8D7BE4979EBF2611F7DD79BF91C1C6B566A219ED766

- Server Distrust After Date: 1/1/2020
Subject: CN=GeoTrust Global CA; O=GeoTrust Inc.; C=US
Certificate Serial Number: 023456
SHA-1 Fingerprint: DE28F4A4FFE5B92FA3C503D1A349A7F9962A8212
SHA-256 Fingerprint:
FF856A2D251DCD88D36656F450126798CFABAADE40799C722DE4D2B5DB36A73A

- Server Distrust After Date: 1/1/2020
Subject: CN=GeoTrust Universal CA 2; O=GeoTrust Inc.; C=US
Certificate Serial Number: 01
SHA-1 Fingerprint: 379A197B418545350CA60369F33C2EAF474F2079
SHA-256 Fingerprint:
A0234F3BC8527CA5628EEC81AD5D69895DA5680DC91D1CB8477F33F878B95B0B

== End Bug #2 ==

=== Bug #3: Set CKA_NSS_EMAIL_DISTRUST_AFTER ===
Set CKA_NSS_EMAIL_DISTRUST_AFTER to the specified dates for the
following root certificates. This distrusts S/MIME certs that have
“Valid From” newer than the specified date. S/MIME certificates issued
prior to this date will continue to be trusted until the certificate’s
natural expiration or until we disable the trust bit or remove the root.
Dependency: https://bugzilla.mozilla.org/show_bug.cgi?id=1615687
Note: DigiCert's plan is to remove the following roots 03/31/2023.
Customers using S/MIME certs chaining to these roots will reduce the
validity period so that no certs are needed past March 2023.

- Email Distrust After Date: 8/31/2022
Subject: CN=VeriSign Class 1 Public Primary Certification Authority -
G3; OU=VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized
use only; O=VeriSign, Inc.; C=US
Certificate Serial Number: 008B5B75568454850B00CFAF3848CEB1A4
SHA-1 Fingerprint: 204285DCF7EB764195578E136BD4B7D1E98E46A5
SHA-256 Fingerprint:
CBB5AF185E942A2402F9EACBC0ED5BB876EEA3C1223623D00447E4F3BA554B65

- Email Distrust After Date: 8/31/2022
Subject: CN=Symantec Class 1 Public Primary Certification Authority -
G6; OU=Symantec Trust Network; O=Symantec Corporation; C=US
Certificate Serial Number: 243275F21D2FD20933F7B46ACAD0F398
SHA-1 Fingerprint: 517F611E29916B5382FB72E744D98DC3CC536D64
SHA-256 Fingerprint:
9D190B2E314566685BE8A889E27AA8C7D7AE1D8AADDBA3C1ECF9D24863CD34B9

- Email Distrust After Date: 8/31/2022
Subject: CN=Symantec Class 2 Public Primary Certification Authority -
G6; OU=Symantec Trust Network; O=Symantec Corporation; C=US
Certificate Serial Number: 64829EFC371E745DFC97FF97C8B1FF41
SHA-1 Fingerprint: 40B331A0E9BFE855BC3993CA704F4EC251D41D8F
SHA-256 Fingerprint:
CB627D18B58AD56DDE331A30456BC65C601A4E9B18DEDCEA08E7DAAA07815FF0

- Email Distrust After Date: 8/31/2022
Subject: CN=VeriSign Class 2 Public Primary Certification Authority -
G3; OU=VeriSign Trust Network, (c) 1999 VeriSign, Inc. - For authorized
use only; O=VeriSign, Inc.; C=US
Certificate Serial Number: 6170CB498C5F984529E7B0A6D9505B7A
SHA-1 Fingerprint: 61EF43D77FCAD46151BC98E0C35912AF9FEB6311
SHA-256 Fingerprint:
92A9D9833FE1944DB366E8BFAE7A95B6480C2D6C6C2A1BE65D4236B608FCA1BB

- Email Distrust After Date: 8/31/2022
Subject: CN=VeriSign Universal Root Certification Authority; OU=VeriSign
Trust Network, (c) 2008 VeriSign, Inc. - For authorized use only;
O=VeriSign, Inc.; C=US
Certificate Serial Number: 401AC46421B31321030EBBE4121AC51D
SHA-1 Fingerprint: 3679CA35668772304D30A5FB873B0FA77BB70D54
SHA-256 Fingerprint:
2399561127A57125DE8CEFEA610DDF2FA078B5C8067F4E828290BFB860E84B3C

== End Bug #3 ==

As always, I will appreciate thoughtful and constructive feedback on this.

Thanks,
Kathleen







Kathleen Wilson

unread,
Feb 26, 2020, 7:30:19 PM2/26/20
to mozilla-dev-s...@lists.mozilla.org
I have filed these three bugs.
> === Bug #1: Root Removal and Disable Email Trust Bit ===

https://bugzilla.mozilla.org/show_bug.cgi?id=1618402
Symantec root certs - removal and turning off Email trust bit

> === Bug #2: Set CKA_NSS_SERVER_DISTRUST_AFTER ===

https://bugzilla.mozilla.org/show_bug.cgi?id=1618404
Symantec root certs - Set CKA_NSS_SERVER_DISTRUST_AFTER


> === Bug #3: Set CKA_NSS_EMAIL_DISTRUST_AFTER  ===

https://bugzilla.mozilla.org/show_bug.cgi?id=1618407
Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER

Thanks,
Kathleen
Reply all
Reply to author
Forward
0 new messages