CA/Additional Trust Changes: Difference between revisions

CA/Additional Trust Changes (view source)

719 bytes removed , 1 February 2018

Remove CNNIC - now gone from NSS

Account confirmers, Anti-spam team, Confirmed users, Bureaucrats and Sysops emeriti

4,925

edits

@@ Line 10: / Line 10: @@
 While not technically a modification to the root store as we don't use it for un-trusting roots, Mozilla's [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL] system is used for communicating information about the revocation of intermediate certificates (and high-profile misissued end-entity certificates) to Firefox clients.
-==CNNIC==
-Mozilla [https://blog.mozilla.org/security/files/2015/04/CNNIC-MCS.pdf currently recommends] not trusting any certificates issued by this CA after 1st April 2015. This covers two roots in our store - "CNNIC ROOT" and "China Internet Network Information Center EV Certificates Root". We have a [https://dxr.mozilla.org/mozilla-central/source/security/certverifier/CNNICHashWhitelist.inc whitelist of older certificates], and tools to generate it. The code implementing this restriction is [https://dxr.mozilla.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#753 in the Mozilla platform security code (PSM)], which is shared by the Mozilla applications (Firefox, Thunderbird, etc.).
 ==ANSSI==