You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
When parsing certdata.txt, mk-ca-bundle.pl excludes roots whose CKA_NSS_SERVER_DISTRUST_AFTER time is after the current time.
This is incorrect behavior. CKA_NSS_SERVER_DISTRUST_AFTER is supposed to be compared against the leaf certificate's NotBefore time, not the current time:
If a builtin certificate has a CKA_NSS_SERVER_DISTRUST_AFTER timestamp before the SCT or NotBefore date of a certificate that builtin issued, then clients can elect not to trust it.
Mozilla intends to set the CKA_NSS_SERVER_DISTRUST_AFTER date of Entrust roots to November 30, 2024. mk-ca-bundle.pl's current behavior will cause consumers of mk-ca-bundle.pl to reject Entrust certificates that Firefox would have accepted, causing breakage that Mozilla did not intend.
Instead, mk-ca-bundle.pl should just ignore the CKA_NSS_SERVER_DISTRUST_AFTER date. Although this would cause consumers of mk-ca-bundle.pl to accept certificates that Firefox would have rejected, in practice this is not any less secure than Firefox. This is because roots with a CKA_NSS_SERVER_DISTRUST_AFTER date still have the ability to issue new certificates that are accepted by Firefox, by simply backdating the certificate's NotBefore date. The point of CKA_NSS_SERVER_DISTRUST_AFTER is not to provide security from an untrustworthy root, but to gracefully sunset trust in a root. When Mozilla adds CKA_NSS_SERVER_DISTRUST_AFTER to a root, they're not saying that certificates issued after that date are untrustworthy. Instead, they are saying that they would like to remove the root at some point in the future. Combined with enforcement of the 398 day maximum certificate lifetime, CKA_NSS_SERVER_DISTRUST_AFTER ensures that all certificates issued by a root are expired 398 days after the CKA_NSS_SERVER_DISTRUST_AFTER date, allowing for the root's removal without breakage. Consequentially, it is appropriate for mk-ca-bundle.pl to ignore CKA_NSS_SERVER_DISTRUST_AFTER and wait for Mozilla to fully remove the root.
curl/libcurl version
N/A
operating system
N/A
The text was updated successfully, but these errors were encountered:
The script's previous treatment of this meta-data was a
misunderstanding. (Added in 1ebc53d) The mistrust is not for
the root cert at this date (it would simply be removed from the bundle
then instead) but for created server certificates:
If a builtin certificate has a CKA_NSS_SERVER_DISTRUST_AFTER
timestamp before the SCT or NotBefore date of a certificate that
builtin issued, then clients can elect not to trust it.
That is however information that cannot be provided in the generated PEM
output.
Fixes#15547
Reported-by: Andrew Ayer
The script's previous treatment of this meta-data was a
misunderstanding. (Added in 1ebc53d) The mistrust is not for
the root cert at this date (it would simply be removed from the bundle
then instead) but for created server certificates:
If a builtin certificate has a CKA_NSS_SERVER_DISTRUST_AFTER
timestamp before the SCT or NotBefore date of a certificate that
builtin issued, then clients can elect not to trust it.
That is however information that cannot be provided in the generated PEM
output.
Fixescurl#15547
Reported-by: Andrew Ayer
Closescurl#15552
I did this
No response
I expected the following
When parsing certdata.txt, mk-ca-bundle.pl excludes roots whose
CKA_NSS_SERVER_DISTRUST_AFTER
time is after the current time.This is incorrect behavior.
CKA_NSS_SERVER_DISTRUST_AFTER
is supposed to be compared against the leaf certificate's NotBefore time, not the current time:Source
See also https://bugzilla.mozilla.org/show_bug.cgi?id=1618404 and https://bugzilla.mozilla.org/show_bug.cgi?id=1621159
Mozilla intends to set the
CKA_NSS_SERVER_DISTRUST_AFTER
date of Entrust roots to November 30, 2024. mk-ca-bundle.pl's current behavior will cause consumers of mk-ca-bundle.pl to reject Entrust certificates that Firefox would have accepted, causing breakage that Mozilla did not intend.Instead, mk-ca-bundle.pl should just ignore the
CKA_NSS_SERVER_DISTRUST_AFTER
date. Although this would cause consumers of mk-ca-bundle.pl to accept certificates that Firefox would have rejected, in practice this is not any less secure than Firefox. This is because roots with aCKA_NSS_SERVER_DISTRUST_AFTER
date still have the ability to issue new certificates that are accepted by Firefox, by simply backdating the certificate's NotBefore date. The point ofCKA_NSS_SERVER_DISTRUST_AFTER
is not to provide security from an untrustworthy root, but to gracefully sunset trust in a root. When Mozilla addsCKA_NSS_SERVER_DISTRUST_AFTER
to a root, they're not saying that certificates issued after that date are untrustworthy. Instead, they are saying that they would like to remove the root at some point in the future. Combined with enforcement of the 398 day maximum certificate lifetime,CKA_NSS_SERVER_DISTRUST_AFTER
ensures that all certificates issued by a root are expired 398 days after theCKA_NSS_SERVER_DISTRUST_AFTER
date, allowing for the root's removal without breakage. Consequentially, it is appropriate for mk-ca-bundle.pl to ignoreCKA_NSS_SERVER_DISTRUST_AFTER
and wait for Mozilla to fully remove the root.curl/libcurl version
N/A
operating system
N/A
The text was updated successfully, but these errors were encountered: