On 2021/06/10 13:05, Theo Buehler wrote: > On Thu, Jun 10, 2021 at 11:39:46AM +0100, Stuart Henderson wrote: > > I was just reminded of the Apple cert problem with GeoTrust Global CA > > and checked and they're using better intermediates for api.push.apple.com > > now. OK to sync up with Mozilla's CA bundle again, including removal > > of GeoTrust Global CA? > > Thanks! > > > Changes in the list first; diff below: > > > > -AC Camerfirma S.A. > > Ah, good. > > > Staat der Nederlanden > > /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA > > - /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G3 > > I could not find any information on this removal and it's still in my > firefox. Why is that removed in your diff? >
Ah, there's a handy summary ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1693217 Validity in NSS was changed from web+email to just email: https://hg.mozilla.org/projects/nss/rev/720a1118f16b60c218a308949554b2d21681c41f https://bugzilla.mozilla.org/show_bug.cgi?id=1687822 Obviously the cert.pem format doesn't allow expressing different trust purposes or levels as is done in NSS, the script I'm using to convert (curl's "mk-ca-bundle") defaults to only include certificates listed for "SERVER_AUTH", hence the removal. (You can see it reflected in firefox if you "edit purposes"). The script accepts a parameter to allow different trusts so if we wanted to include certificates only trusted for email, we could do that; doing that would however reenable the O=AC Camerfirma S.A. roots unless we manually tweak it. The relevant data is in the "Trust for Certificate XXX" in certdata.txt and looks like this: CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST "CKT_NSS_MUST_VERIFY_TRUST" is "don't trust as a CA" and "CKT_NSS_TRUSTED_DELEGATOR" is "do trust as a CA" ihttps://hg.mozilla.org/releases/mozilla-beta/annotate/tip/security/nss/lib/ckfw/builtins/certdata.txt
