Closed Bug 1456112 Opened 6 years ago Closed 6 years ago

Add a pref value to implement the Firefox 63 Symantec distrust algorithm


(Core :: Security: PSM, enhancement, P1)

61 Branch



Tracking Status
relnote-firefox --- 62+
firefox61 --- wontfix
firefox62 --- fixed


(Reporter: jcj, Assigned: jcj)




(Whiteboard: [psm-assigned])


(1 file, 1 obsolete file)

Per the consensus plan for the Symantec distrust [1], in Firefox 63 we will remove the logic that continues to trust certificates issued on or after 1 June 2016. This bug is to add that logic into the security.pki.distrust_ca_policy preference.

This adds another preference (DistrustSymantecRootsRegardlessOfDate == 2) that
stops permitting certificates issued after 1 June 2016, and updates the test to
check it.
Comment on attachment 8973794 [details]
Bug 1456112 - Add a pref to implement the last Symantec Distrust step r?keeler

David Keeler [:keeler] (use needinfo) has approved the revision.
Attachment #8973794 - Flags: review+
Pushed by
Add a pref to implement the last Symantec Distrust step r=keeler
Per Bug 1437754 comment 10, the pref security.pki.distrust_ca_policy makes more
sense as a bitmask than a state. To permit future nuance, let's go ahead and do
that before people start implementing atop Bug 1456112.

This does permit both 0b10 and 0b11 to enable the functionality for Firefox 63.
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
To use the 63 Symantec distrust settings early, set the preference "security.pki.distrust_ca_policy" to 2. That will be the default in 63.

Marking for a relnote and that this is behind a pref.

Matt: we'll submit a PI request to do periodic canary runs with this preference set.
relnote-firefox: --- → ?
Flags: webcompat?
Flags: behind-pref+
QA Contact: mwobensmith
Blocks: 1460062
Attachment #8973890 - Attachment is obsolete: true
Flags: webcompat?
You need to log in before you can comment on or make changes to this bug.