CA/Additional Trust Changes: Difference between revisions

From MozillaWiki
< CA
Jump to navigation Jump to search
(→‎Symantec: link bug)
(Deleted the WoSign section, because all of the WoSign root certs have been removed from Mozilla's CA program.)
Line 25: Line 25:
# CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL  
# CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL  
# CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL  
# CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL  
This restriction has been implemented in both [https://hg.mozilla.org/mozilla-central/annotate/facaf90aeaaf/security/certverifier/NSSCertDBTrustDomain.cpp#l740 in the Mozilla platform security code (PSM)], which is shared by the Mozilla applications (Firefox, Thunderbird, etc.), and in addition, [https://hg.mozilla.org/projects/nss/annotate/1feb89a254de/lib/certhigh/certvfy.c#l492 in the NSS library code], which is used by applications that use the NSS certificate verification APIs.
==WoSign==
Mozilla [https://bugzilla.mozilla.org/show_bug.cgi?id=1311824 currently recommends] not trusting any certificates issued by this CA after October 21st, 2016. That recommendation covers the following roots:
# CN=CA 沃通根证书, OU=null, O=WoSign CA Limited, C=CN
# CN=Certification Authority of WoSign, OU=null, O=WoSign CA Limited, C=CN
# CN=Certification Authority of WoSign G2, OU=null, O=WoSign CA Limited, C=CN
# CN=CA WoSign ECC Root, OU=null, O=WoSign CA Limited, C=CN


This restriction has been implemented in both [https://hg.mozilla.org/mozilla-central/annotate/facaf90aeaaf/security/certverifier/NSSCertDBTrustDomain.cpp#l740 in the Mozilla platform security code (PSM)], which is shared by the Mozilla applications (Firefox, Thunderbird, etc.), and in addition, [https://hg.mozilla.org/projects/nss/annotate/1feb89a254de/lib/certhigh/certvfy.c#l492 in the NSS library code], which is used by applications that use the NSS certificate verification APIs.
This restriction has been implemented in both [https://hg.mozilla.org/mozilla-central/annotate/facaf90aeaaf/security/certverifier/NSSCertDBTrustDomain.cpp#l740 in the Mozilla platform security code (PSM)], which is shared by the Mozilla applications (Firefox, Thunderbird, etc.), and in addition, [https://hg.mozilla.org/projects/nss/annotate/1feb89a254de/lib/certhigh/certvfy.c#l492 in the NSS library code], which is used by applications that use the NSS certificate verification APIs.

Revision as of 21:24, 31 January 2018

The Mozilla Root Program's official repository of the roots it trusts is certdata.txt. Some information about the level of trust in each root is included in that file - for example, whether it's trusted for server SSL, S/MIME or both. However, not all restrictions recommended by Mozilla on the roots can be or are encoded in certdata.txt. Some are implemented in our security library, "NSS", or in Firefox and Thunderbird (so-called "PSM").

Sometimes, other companies and organizations decide to use Mozilla's root store in their products. As the CA FAQ notes, Mozilla does not promise to take into account the needs of other users of its root store when making decisions. However, for the benefit of such users and on a best-efforts basis, this page documents the additional trust settings that Mozilla recommends.

Extended Validation (EV)

The status of whether a root is approved to issue EV certificates or not is stored in PSM rather than certdata.txt.

OneCRL

While not technically a modification to the root store as we don't use it for un-trusting roots, Mozilla's OneCRL system is used for communicating information about the revocation of intermediate certificates (and high-profile misissued end-entity certificates) to Firefox clients.

CNNIC

Mozilla currently recommends not trusting any certificates issued by this CA after 1st April 2015. This covers two roots in our store - "CNNIC ROOT" and "China Internet Network Information Center EV Certificates Root". We have a whitelist of older certificates, and tools to generate it. The code implementing this restriction is in the Mozilla platform security code (PSM), which is shared by the Mozilla applications (Firefox, Thunderbird, etc.).

ANSSI

The French Government CA is name-constrained to those ccTLDs whose geographies are under the jurisdiction of France - that is, .fr, .gp, .gf, .mq, .re, .yt, .pm, .bl, .mf, .wf, .pf, .nc, and .tf. The code for that is in NSS.

StartCom

Mozilla currently recommends not trusting any certificates issued by this CA after October 21st, 2016. That recommendation covers the following roots:

  1. CN=StartCom Certification Authority, OU=Secure Digital Certificate Signing, O=StartCom Ltd., C=IL
  2. CN=StartCom Certification Authority G2, OU=null, O=StartCom Ltd., C=IL

This restriction has been implemented in both in the Mozilla platform security code (PSM), which is shared by the Mozilla applications (Firefox, Thunderbird, etc.), and in addition, in the NSS library code, which is used by applications that use the NSS certificate verification APIs.

Kamu SM

The Turkish Government CA is name-constrained to a set of turkish toplevel domains - that is, .gov.tr, .k12.tr, .pol.tr, .mil.tr, .tsk.tr, .kep.tr, .bel.tr, .edu.tr and .org.tr. The code for that is in NSS.

Symantec

Symantec certificate issued before 1 June 2016 are distrusted starting in Firefox 60 unless they are issued by certain whitelisted intermediate CAs (Bug 1409257). This is in accordance with the distrust plan of 2017.

Retrieved from "https://wiki.allizom.org/index.php?title=CA/Additional_Trust_Changes&oldid=1188311"