Closed Bug 1456112 Opened 6 years ago Closed 6 years ago
Add a pref value to implement the Firefox 63 Symantec distrust algorithm
46 bytes, text/x-phabricator-request
|Details | Review|
Per the consensus plan for the Symantec distrust , in Firefox 63 we will remove the logic that continues to trust certificates issued on or after 1 June 2016. This bug is to add that logic into the security.pki.distrust_ca_policy preference.  https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/FLHRT79e3XE/discussion
This adds another preference (DistrustSymantecRootsRegardlessOfDate == 2) that stops permitting certificates issued after 1 June 2016, and updates the test to check it.
Comment on attachment 8973794 [details] Bug 1456112 - Add a pref to implement the last Symantec Distrust step r?keeler David Keeler [:keeler] (use needinfo) has approved the revision. https://phabricator.services.mozilla.com/D1150
Attachment #8973794 - Flags: review+
Pushed by email@example.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/96c17e4d2d9e Add a pref to implement the last Symantec Distrust step r=keeler
Per Bug 1437754 comment 10, the pref security.pki.distrust_ca_policy makes more sense as a bitmask than a state. To permit future nuance, let's go ahead and do that before people start implementing atop Bug 1456112. This does permit both 0b10 and 0b11 to enable the functionality for Firefox 63.
To use the 63 Symantec distrust settings early, set the preference "security.pki.distrust_ca_policy" to 2. That will be the default in 63. Marking for a relnote and that this is behind a pref. Matt: we'll submit a PI request to do periodic canary runs with this preference set.
You need to log in before you can comment on or make changes to this bug.