1438568 - Symantec subCA whitelisting in Firefox on a system that removes Symantec CA trust

Status: RESOLVED WORKSFORME

(Core :: Security: PSM, enhancement)

Description

[Kai Engert (:KaiE:)]

This is to track a thought from Tomas Hoger.

In October 2018, Firefox wants to limit all Symantec CAs to a small set of subCAs (e.g. those owned by Apple/Google).

On Linux distributions (such as Fedora) the CA list is managed separately from the Firefox, and the CA list is shared between Firefox and other applications.

On such a system, the administrator might decide to remove the Symantec CAs from the system's CA configuration.

What would be consequence? If Firefox depends on the Symantec Roots to be present for the subCA whitelisting to work, then the whitelisting would fail.

Should the Firefox subCA whitelist implementation work in a way that is independent from the presence of the Symantec Roots in the CA trust store? Firefox could embed the required Symantec Roots in the code, and dynamically load them at startup.

But if Firefox used that dynamic loading of the Symantec Roots, how could a system administrator potentially disable the whitelisting?

I think it's helpful that Tomas raised this thought. We don't have to answer the questions now, but maybe it's helpful to keep them in mind, when Firefox developers work on the October 2018 distrust implementation. If Firefox developers cannot support this scenario, then potentially the developers of Fedora might be required to implement downstream changes to Firefox.

Comment 1

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

I think in this case it's the responsibility of the distribution to make sure everything is working as intended. We can certainly help if they have specific issues that need addressing, but I don't think it makes sense to keep a bug open just in case there might be a problem in the future.