Confirm, administrator
5,526
edits
Changes
m
→Remove a Root
** Root removals that are motivated by a serious security concern such as a major root compromise should be treated as a security-sensitive bug, and the [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla Policy for Handling Security Bugs] should be followed.
* Expired or Expiring CA
* Small modulus key length (e.g. 1024-bit or smaller)* Outdated signing key algorithm (e.g. MD2 or MD5)
* Transition/Rollover to new root completed
* Legacy, no longer in use
* Previously deprecated
Note: For some legacy root certificates it may be better to turn off the websites trust bit and leave the root in NSS with one or both of the email and code singing trust bit bits enabled, so that S/MIME will work without error on older email messages. The [[CA:Root_Change_Process#Disable_a_Root|Disable a Root]] section above explains how to request that specific trust bits be turned off for a root certificate.
The process for removing a root from NSS is as follows:
#*** Reason for requesting that the root be removed
#*** Impact that removing the root may have on Mozilla users
#*The bug may be marked as security-sensitive. Security-sensitive bugs can be viewed only by a select set of Bugzilla users, not by the general public.#* An In most situations an authoritative representative of the CA must request or approve the change. Mozilla reserves the right to approve the change without the consent of the CA.
# The bug will be assigned to the Mozilla representative who is appointed to evaluate the request. This will usually be the standing module owner.
# The Mozilla representative will ensure the necessary information has been provided.
#* Technical assistance may be requested
#* Additional information may be requested of CA and other parties
#* The Mozilla representative must confirm that a qualified representative of either the CA or Mozilla has either requested or approved the change.
# The Mozilla representative will deliver any preliminary decisions
#* It may be necessary to treat the bug as a sensitive security issue and follow the [http://www.mozilla.org/projects/security/security-bugs-policy.html Mozilla Policy for Handling Security Bugs]
