Andrew, That explains everything -- I didn't see the issue in curl you reported, nor did I understand the meaning of "Distrust After." Thank you.
- Mike On Friday, January 10, 2025 at 11:13:51 AM UTC-6 Andrew Ayer wrote: > Hi Mike, > > GLOBALTRUST was never removed from the Mozilla root store. Rather, it was > tagged with a "Distrust After" date which instructs Firefox to distrust > certificates whose Not Before date is after the root's Distrust After date. > This is not a security measure (since backdating certificates is trivial), > but rather a mechanism to gracefully sunset a root so it can be removed > without causing problems 398 days later. > > However, Curl's mk-ca-bundle.pl script was incorrectly interpreting the > Distrust After date <https://github.com/curl/curl/issues/15547>, causing > GLOBALTRUST to be incorrectly excluded. Once that bug was fixed, > mk-ca-bundle.pl began emitting GLOBALTRUST again. > > There are several reasons why this is unsatisfying. To begin with, Mozilla > should not be trusting a CA like GLOBALTRUST _at all_, a point that I and > others raised last year < > https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI/m/j76_U_fMAAAJ>. > > Second, root constraints like Distrust After would ideally be propagated in > the PEM bundle through to certificate validators instead of being dropped > by mk-ca-bundle.pl, but there is no widely-supported mechanism for this > at the moment. For more background, see > https://sslmate.com/blog/post/entrust_distrust_more_disruptive_than_intended > > Regards, > Andrew > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/2125e5ec-2028-43b7-9317-a78c5c87a0f6n%40mozilla.org.
