On Thu, Jun 10, 2021 at 01:28:36PM +0100, Stuart Henderson wrote: > On 2021/06/10 13:05, Theo Buehler wrote: > > On Thu, Jun 10, 2021 at 11:39:46AM +0100, Stuart Henderson wrote: > > > I was just reminded of the Apple cert problem with GeoTrust Global CA > > > and checked and they're using better intermediates for api.push.apple.com > > > now. OK to sync up with Mozilla's CA bundle again, including removal > > > of GeoTrust Global CA? > > > > Thanks! > > > > > Changes in the list first; diff below: > > > > > > -AC Camerfirma S.A. > > > > Ah, good. > > > > > Staat der Nederlanden > > > /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden EV Root CA > > > - /C=NL/O=Staat der Nederlanden/CN=Staat der Nederlanden Root CA - G3 > > > > I could not find any information on this removal and it's still in my > > firefox. Why is that removed in your diff? > > > > Ah, there's a handy summary ticket: > > https://bugzilla.mozilla.org/show_bug.cgi?id=1693217 > > Validity in NSS was changed from web+email to just email: > > https://hg.mozilla.org/projects/nss/rev/720a1118f16b60c218a308949554b2d21681c41f > https://bugzilla.mozilla.org/show_bug.cgi?id=1687822 > > Obviously the cert.pem format doesn't allow expressing different trust > purposes or levels as is done in NSS, the script I'm using to convert > (curl's "mk-ca-bundle") defaults to only include certificates listed for > "SERVER_AUTH", hence the removal. (You can see it reflected in firefox > if you "edit purposes"). > > The script accepts a parameter to allow different trusts so if we wanted > to include certificates only trusted for email, we could do that; > doing that would however reenable the O=AC Camerfirma S.A. roots unless > we manually tweak it.
Thanks for digging this up. I think this is not worth it. I was just puzzled because the certificate wasn't listed under the removed certificates https://wiki.mozilla.org/CA/Removed_Certificates ok tb for the diff as you sent it. > > The relevant data is in the "Trust for Certificate XXX" in certdata.txt > and looks like this: > > CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST > CKA_TRUST_EMAIL_PROTECTION CK_TRUST CKT_NSS_TRUSTED_DELEGATOR > CKA_TRUST_CODE_SIGNING CK_TRUST CKT_NSS_MUST_VERIFY_TRUST > > "CKT_NSS_MUST_VERIFY_TRUST" is "don't trust as a CA" and > "CKT_NSS_TRUSTED_DELEGATOR" is "do trust as a CA" > > ihttps://hg.mozilla.org/releases/mozilla-beta/annotate/tip/security/nss/lib/ckfw/builtins/certdata.txt
