MozillaWiki

CA/Additional Trust Changes: Difference between revisions

Page Discussion

CA/Additional Trust Changes (view source)

Revision as of 18:37, 31 July 2023

796 bytes added ,  31 July 2023
m
Kamu SM's name-constraints have been updated.
(Removed obsolete ANSII section)
m (Kamu SM's name-constraints have been updated.)
 
(3 intermediate revisions by the same user not shown)
Line 9: Line 9:
==OneCRL==
==OneCRL==


While not technically a modification to the root store as we don't use it for un-trusting roots, Mozilla's [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL] system is used for communicating information about the revocation of intermediate certificates (and high-profile misissued end-entity certificates) to Firefox clients.
While not technically a modification to the root store as we don't use it for un-trusting roots, Mozilla's [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL] system is used for communicating information about the revocation of intermediate certificates (and high-profile misissued end-entity certificates) to Firefox clients. Reports are provided about revoked intermediate certificates on the [[CA/Intermediate_Certificates|CA/Intermediate Certificates wiki page]].


==Distrust After==
==Distrust After==
Line 18: Line 18:
==Kamu SM==
==Kamu SM==


The Turkish Government CA is name-constrained to a set of turkish toplevel domains - that is, .gov.tr, .k12.tr, .pol.tr, .mil.tr, .tsk.tr, .kep.tr, .bel.tr, .edu.tr and .org.tr. The code for that [https://hg.mozilla.org/projects/nss/annotate/1feb89a254de/lib/certdb/genname.c#l1622 is in NSS].
The Turkish Government CA is name-constrained to *.tr. ([https://phabricator.services.mozilla.com/D177242 code change])


==Symantec==
==Symantec==
Line 49: Line 49:


In a future Firefox release, we expect to remove the whitelist, and remove the ‘websites’ trust bit from all Symantec roots. The timing of these changes, and any changes to the ‘email’ trust bit (S/MIME) have not yet been determined.
In a future Firefox release, we expect to remove the whitelist, and remove the ‘websites’ trust bit from all Symantec roots. The timing of these changes, and any changes to the ‘email’ trust bit (S/MIME) have not yet been determined.
<br /> <br />
 
<br />
'''Update December 2020:'''
<br />
The following 10 root certificates were removed via {{bug|1670769}} from [[NSS:Release_Versions|NSS 3.60]] and [[Release_Management/Calendar|Firefox 85]].
# [https://crt.sh/?id=17 GeoTrust Global CA]
# [https://crt.sh/?id=4350 GeoTrust Primary Certification Authority]
# [https://crt.sh/?id=847444 GeoTrust Primary Certification Authority - G3]
# [https://crt.sh/?id=30 thawte Primary Root CA]
# [https://crt.sh/?id=254193 thawte Primary Root CA - G3]
# [https://crt.sh/?id=2771491 VeriSign Class 3 Public Primary Certification Authority - G4]
# [https://crt.sh/?id=93 VeriSign Class 3 Public Primary Certification Authority - G5]
# [https://crt.sh/?id=3382830 thawte Primary Root CA - G2]
# [https://crt.sh/?id=4174851 GeoTrust Universal CA]
# [https://crt.sh/?id=4175126 GeoTrust Universal CA 2]
 
'''Update June 2020:'''  
'''Update June 2020:'''  
<br />
<br />
Kathleen Wilson
Confirmed users, Administrators
5,526

edits

Retrieved from "https://wiki.allizom.org/Special:MobileDiff/1231747...1247331"