On Friday, January 10, 2025 at 12:13:51 PM UTC-5 Andrew Ayer wrote:
Hi Mike, GLOBALTRUST was never removed from the Mozilla root store. Rather, it was tagged with a "Distrust After" date which instructs Firefox to distrust certificates whose Not Before date is after the root's Distrust After date. This is not a security measure (since backdating certificates is trivial), but rather a mechanism to gracefully sunset a root so it can be removed without causing problems 398 days later. However, Curl's mk-ca-bundle.pl script was incorrectly interpreting the Distrust After date <https://github.com/curl/curl/issues/15547>, causing GLOBALTRUST to be incorrectly excluded. Once that bug was fixed, mk-ca-bundle.pl began emitting GLOBALTRUST again. There are several reasons why this is unsatisfying. To begin with, Mozilla should not be trusting a CA like GLOBALTRUST _at all_, a point that I and others raised last year < https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI/m/j76_U_fMAAAJ>. Second, root constraints like Distrust After would ideally be propagated in the PEM bundle through to certificate validators instead of being dropped by mk-ca-bundle.pl, but there is no widely-supported mechanism for this at the moment. For more background, see https://sslmate.com/blog/post/entrust_distrust_more_disruptive_than_intended The thread was forwarded to the curl-library mailing list at <https://curl.se/mail/lib-2025-01/0018.html>. Jeff -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/1c0850dd-68ed-46e5-a40a-2d93a2eef39fn%40mozilla.org.
