Hi Ben, Would roots with constraints in their certdata.txt entry (such as CKA_NSS_SERVER_DISTRUST_AFTER) be listed in these reports?
Also, is the intention for applications to use the MozillaTLSServerAuthenticationPEMOnly report as a trust anchor pool? Because I can guarantee that offering the report in such a convenient PEM format will lead to it being used that way. (It's really unfortunate that as an industry we have not found a better minimum common denominator format for root anchors than a pile of PEM files. It means applications often miss out on constraints like SCT-based distrusts, enforced name constraints, etc. However, that's a broader issue and probably not something needing to be solved for these reports.) Cheers, Filippo 2025-10-27 19:08 GMT+01:00 'Ben Wilson' via [email protected] <[email protected]>: > Dear Mozilla Community, > > Four new Root CA reports are now available for review from the CCADB. These > reports provide information on Root Certificates trusted for TLS and S/MIME > authentication within Mozilla’s Root Store. (These links will go on > https://wiki.mozilla.org/CA/Included_Certificates and > https://www.ccadb.org/resources.) > > _TLS ServerAuth Roots_ > > *Full report (CSV):* > https://ccadb.my.salesforce-sites.com/ccadb/Report?Name=MozillaTLSServerAuthenticationCSV > > A list of *144 Root CAs* with the *websites* trust bit enabled, including: > > • CA Owner > > • Certificate Name > > • SHA-256 Fingerprint > > • SPKI SHA256 > > • Valid From / Valid To (GMT) > > • Full CRL Issued By This CA > > • JSON Array of Partitioned CRLs > > • X.509 Certificate (PEM format) > > *PEM-only version:* > https://ccadb.my.salesforce-sites.com/ccadb/Report?Name=MozillaTLSServerAuthenticationPEMOnly > > _Email S/MIME Roots_ > > *Full report (CSV):* > https://ccadb.my.salesforce-sites.com/ccadb/Report?Name=MozillaSMIMECSV > > A list of *134 Root CAs* with the *email* trust bit enabled, including: > > • CA Owner > > • Certificate Name > > • SHA-256 Fingerprint > > • SPKI SHA256 > > • Valid From / Valid To (GMT) > > • Full CRL Issued By This CA > > • JSON Array of Partitioned CRLs > > • X.509 Certificate (PEM format) > > *PEM-only version:* > https://ccadb.my.salesforce-sites.com/ccadb/Report?Name=MozillaSMIMEPEMOnly > > Please review these reports and share any feedback or suggested changes by > next Monday. > > Thank you, > Ben Wilson > Mozilla Root Program > > > > -- > You received this message because you are subscribed to the Google Groups > "[email protected]" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYNWbmgbiySJLUsF-VBO2onv-Yp4CA%2BtDv5bdsmMoovHg%40mail.gmail.com > > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CA%2B1gtaYNWbmgbiySJLUsF-VBO2onv-Yp4CA%2BtDv5bdsmMoovHg%40mail.gmail.com?utm_medium=email&utm_source=footer>. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/7e8b35a8-e6d9-4ad6-8b9d-fd9ec8fa171f%40app.fastmail.com.
