Closed Bug 1456112 Opened 6 years ago Closed 6 years ago

Add a pref value to implement the Firefox 63 Symantec distrust algorithm

Categories

(Core :: Security: PSM, enhancement, P1)

Product:
Core
Component:
Security: PSM
Version:
61 Branch
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
relnote-firefox --- 62+
firefox61 --- wontfix
firefox62 --- fixed

People

(Reporter: jcj, Assigned: jcj)

References

(
URL
)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file, 1 obsolete file)

Bug 1456112 - Add a pref to implement the last Symantec Distrust step r?keeler
46 bytes, text/x-phabricator-request
keeler
: review+
Details | Review 
Per the consensus plan for the Symantec distrust [1], in Firefox 63 we will remove the logic that continues to trust certificates issued on or after 1 June 2016. This bug is to add that logic into the security.pki.distrust_ca_policy preference.


[1] https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/FLHRT79e3XE/discussion
This adds another preference (DistrustSymantecRootsRegardlessOfDate == 2) that
stops permitting certificates issued after 1 June 2016, and updates the test to
check it.
Comment on attachment 8973794 [details]
Bug 1456112 - Add a pref to implement the last Symantec Distrust step r?keeler

David Keeler [:keeler] (use needinfo) has approved the revision.

https://phabricator.services.mozilla.com/D1150
Attachment #8973794 - Flags: review+
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/96c17e4d2d9e
Add a pref to implement the last Symantec Distrust step r=keeler
Per Bug 1437754 comment 10, the pref security.pki.distrust_ca_policy makes more
sense as a bitmask than a state. To permit future nuance, let's go ahead and do
that before people start implementing atop Bug 1456112.

This does permit both 0b10 and 0b11 to enable the functionality for Firefox 63.
https://hg.mozilla.org/mozilla-central/rev/96c17e4d2d9e
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox62: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
To use the 63 Symantec distrust settings early, set the preference "security.pki.distrust_ca_policy" to 2. That will be the default in 63.

Marking for a relnote and that this is behind a pref.

Matt: we'll submit a PI request to do periodic canary runs with this preference set.
relnote-firefox: --- → ?
Flags: webcompat?
Flags: behind-pref+
QA Contact: mwobensmith
Blocks: 1460062
Attachment #8973890 - Attachment is obsolete: true
Flags: webcompat?
You need to log in before you can comment on or make changes to this bug.