Bug 727783 - VeriSign Class 3 Public Primary Certification Authority not trusted
Summary: VeriSign Class 3 Public Primary Certification Authority not trusted
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: ca-certificates
Version: 15
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Joe Orton
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-03 08:44 UTC by David Juran
Modified: 2011-08-05 12:20 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-08-04 15:26:49 UTC


Attachments (Terms of Use)

Description David Juran 2011-08-03 08:44:25 UTC
Description of problem:
There seems to be applets out there (e.g. the WebEx meeting) that is signed with the VeriSign Class 3 Public Primary Certification Authority but openjdk does not recognise this as a trusted CA. Is this intentional?


Version-Release number of selected component (if applicable):
java-1.6.0-openjdk-1.6.0.0-59.1.10.3.fc15

How reproducible:
Every time

Steps to Reproduce:
1. firefox http://www.webex.com/lp/jointest/?elq=809f7a3332a347a0a231ef24c8b40d9c
2. Try to join the meeting
3. Watch the warning

Comment 1 David Juran 2011-08-03 08:59:30 UTC
Seems the JVM gets it's certs from /etc/pki/java/cacerts

Comment 2 David Juran 2011-08-03 09:09:57 UTC
Some more details on the missing cert:

OU=Class 3 Public Primary Certification Authority, O="VeriSign, Inc.", C=US
Validity: [From: Fri Jul 16 03:00:00 EEST 2004,
               To: Wed Jul 16 02:59:59 EEST 2014]
CN=VeriSign Class 3 Code Signing 2004 CA, OU=Terms of use at https://www.verisign.com/rpa (c)04, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US
SHA1 Fingerprint: 19:7A:4A:EB:DB:25:F0:17:00:79:BB:8C:73:CB:2D:65:5E:00:18:A4

Comment 3 Joe Orton 2011-08-04 15:26:49 UTC
Our authoritative source for trusted root CAs is Mozilla; this root is not in there, so we don't ship it.  Not much more we can do about this; we don't want to start vetting individual CA roots in Fedora.

Comment 4 David Juran 2011-08-05 12:10:29 UTC
Fair enough.
 For what it's worth, I've now filed the same question with mozilla in https://bugzilla.mozilla.org/show_bug.cgi?id=676799


Note You need to log in before you can comment on or make changes to this bug.