Hi Mike, GLOBALTRUST was never removed from the Mozilla root store. Rather, it was tagged with a "Distrust After" date which instructs Firefox to distrust certificates whose Not Before date is after the root's Distrust After date. This is not a security measure (since backdating certificates is trivial), but rather a mechanism to gracefully sunset a root so it can be removed without causing problems 398 days later.
However, Curl's mk-ca-bundle.pl script was incorrectly interpreting the Distrust After date <https://github.com/curl/curl/issues/15547>, causing GLOBALTRUST to be incorrectly excluded. Once that bug was fixed, mk-ca-bundle.pl began emitting GLOBALTRUST again. There are several reasons why this is unsatisfying. To begin with, Mozilla should not be trusting a CA like GLOBALTRUST _at all_, a point that I and others raised last year <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI/m/j76_U_fMAAAJ>. Second, root constraints like Distrust After would ideally be propagated in the PEM bundle through to certificate validators instead of being dropped by mk-ca-bundle.pl, but there is no widely-supported mechanism for this at the moment. For more background, see https://sslmate.com/blog/post/entrust_distrust_more_disruptive_than_intended Regards, Andrew -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/20250110101346.0d8db258700b7ed4bf56e96c%40andrewayer.name.
