Confirm, administrator
5,526
edits
Changes
m
#*** Which trust bits are to be turned off#*** Reason for requesting this changethat the root be removed#*** Impact that removing the change root may have on Mozilla users
→Remove a Root
* Previously deprecated
Note: For some legacy root certificates it may be better to leave the root in NSS with the email trust bit enabled, so that S/MIME will work without error on older email messages. The [[CA:Root_Change_Process#Disable_a_Root|Disable a Root ]] section above explains how to request that specific trust bits be turned off for a root certificate.
The process for disabling removing a root in from NSS is as follows:
# Initiate the request
#* File a bug in Bugzilla with the following information:
#** Product: mozilla.org
#** Component: CA Certificates
#** Summary: Disable Remove (CN or cert name) root cert
#** Description: Include the following information
#*** Value of the O (Organization) and OU (Organizational Unit) fields in the root certificate to be changed
#*** The certificate Common Name and or Certificate Name
#*** If needed, other information to clearly identify which root is to be changed (eg SHA1 Fingerprint)
#** An authoritative representative of the CA must approve the change.
# The bug will be assigned to the Mozilla representative who is appointed to evaluate the request. This will usually be the standing module owner.
# The Mozilla representative will ensure the necessary information has been provided.
#* Options should be identified
#** Which Trust Bits to unset (Websites, Email, Code Signing)#** Versus complete Complete removal of the root cert from NSSversus turning off specific trust bits.
#* Technical assistance may be requested
#* Additional information may be requested of CA and other parties
#* The Mozilla representative should must confirm that a qualified representative of the CA has either requested or approved the change.
# The Mozilla representative will deliver any preliminary decisions
#* It may be necessary to treat the bug as a sensitive security issue and follow the [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla Policy for Handling Security Bugs]
