You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
If you are embedding our root store, you need to know that we have imposed some restrictions on certain CAs or certificates which are not encoded in certdata.txt. These are documented on a best-efforts basis.
I was partially aware of this, i.e. with regard to the Symantec CT restrictions, but I wasn't aware the additional name constraints were also part of this. It turns out that the only additional name constraint is for this specific root.
We could conceivably also consume https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportPEMCSV to add these additional constraints, but the "Mozilla Applied Constraints" field here is not explicitly documented anywhere (as far as I can tell), so assuming it will always be a single name (or that it'll be a name at all and not something entirely different) is perhaps a pitfall.
We could manually encode this particular restriction, not in the certdata parser itself, but in the root bundle generator. But that is also fragile.
The path to resolution is known, but the work has not been done.
Feedback is required from experts, contributors, and/or the community before a change can be made.
Feb 8, 2024