Confirm, administrator
5,526
edits
Changes
Updated to match current process
#** Product: NSS
#** Component: CA Certificate Root Program
#** Summary: Disable Remove <CN or cert name> root cert#*** Or: Turn off Trust Bit(s) for <CN or cert name) > root cert
#** Description: Include the following information
#*** Subject/Issuer field values in the root certificate to be changed
#*** SHA256 Fingerprint of the certificate to be changed
#*** Specify if the root is to be removed, or which trust bits are to be turned off
#**** Consideration: For a serious situation, it might be better to disable the trust bits of that root by default, rather than just removing remove the root. If the root is removed, it could potentially be signed by another root that is included in NSS. However, if we disable the trust bits by default, then that root could not be used again for TLS in Firefox unless a user specifically turned on the websites trust bit for it.
#*** Reason for requesting this change
#*** Impact that the change may have on Mozilla users
# Implementation
#* If the resulting decision is to change the root certificate, the Mozilla representative will create a corresponding NSS bug to make the actual changes in NSS, and mark that bug as blocking the original change request.
#* A Mozilla representative makes the changes in an [https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS NSS] branch, and requests code review.#* A Mozilla representative checks commits the changes into the NSS store, and marks the bug RESOLVED FIXED.#* A Mozilla representative confirms the changes in Firefox Nightly, then updates the corresponding records in the [https://www.ccadb.org/ CCADB].
#* For security-sensitive bugs, the security update will proceed as described in [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla's Policy for Handling Security Bugs]
#* For non-security-sensitive requests, some time after the bug is marked as RESOLVED FIXED, various Mozilla products will move to using a version of NSS which contains the change. This process is mostly under the control of the release drivers for those products.
