Confirmed users, Administrators
5,526
edits
CA/Additional Trust Changes: Difference between revisions
Added update regarding enforcement of server-distrust-after in Firefox 78.
(Added February 2020 update) |
(Added update regarding enforcement of server-distrust-after in Firefox 78.) |
||
| Line 50: | Line 50: | ||
In a future Firefox release, we expect to remove the whitelist, and remove the ‘websites’ trust bit from all Symantec roots. The timing of these changes, and any changes to the ‘email’ trust bit (S/MIME) have not yet been determined. | In a future Firefox release, we expect to remove the whitelist, and remove the ‘websites’ trust bit from all Symantec roots. The timing of these changes, and any changes to the ‘email’ trust bit (S/MIME) have not yet been determined. | ||
<br /> <br /> | <br /> <br /> | ||
'''Update | '''Update June 2020:''' | ||
<br /> | <br /> | ||
There is a [https://bugzilla.mozilla.org/show_bug.cgi?id=1465613 new Distrust-After capability] available in [https://hg.mozilla.org/releases/mozilla-beta/file/tip/security/nss/lib/ckfw/builtins/certdata.txt certdata.txt] | There is a [https://bugzilla.mozilla.org/show_bug.cgi?id=1465613 new Distrust-After capability] available in [https://hg.mozilla.org/releases/mozilla-beta/file/tip/security/nss/lib/ckfw/builtins/certdata.txt certdata.txt], which is enforced as of Firefox 78 ([https://bugzilla.mozilla.org/show_bug.cgi?id=1615438 Bug #1615438]), and will be enforced in Thunderbird at a later date. The following Bugzilla bugs were filed to use this capability. This update was [https://groups.google.com/d/msg/mozilla.dev.security.policy/WpJiD14tiXc/2Waf17XCFQAJ described in the mozilla.dev.security.policy forum]. | ||
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1618404 Symantec root certs - Set CKA_NSS_SERVER_DISTRUST_AFTER] | * [https://bugzilla.mozilla.org/show_bug.cgi?id=1618404 Symantec root certs - Set CKA_NSS_SERVER_DISTRUST_AFTER] | ||
** Implemented in NSS 3.53, Firefox 78. | |||
** Setting CKA_NSS_SERVER_DISTRUST_AFTER to the specified dates distrusts TLS certs that have “Valid From” newer than the specified date. TLS certificates issued prior to this date will continue to be trusted until the certificate’s natural expiration or until we disable the trust bit or remove the root. | ** Setting CKA_NSS_SERVER_DISTRUST_AFTER to the specified dates distrusts TLS certs that have “Valid From” newer than the specified date. TLS certificates issued prior to this date will continue to be trusted until the certificate’s natural expiration or until we disable the trust bit or remove the root. | ||
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1618407 Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER] | * [https://bugzilla.mozilla.org/show_bug.cgi?id=1618407 Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER] | ||
** Setting CKA_NSS_EMAIL_DISTRUST_AFTER to the specified dates distrusts S/MIME certs that have “Valid From” newer than the specified date. S/MIME certificates issued prior to this date will continue to be trusted until the certificate’s natural expiration or until we disable the trust bit or remove the root. | ** Setting CKA_NSS_EMAIL_DISTRUST_AFTER to the specified dates distrusts S/MIME certs that have “Valid From” newer than the specified date. S/MIME certificates issued prior to this date will continue to be trusted until the certificate’s natural expiration or until we disable the trust bit or remove the root. | ||