Closed Bug 1913802 Opened 6 months ago Closed 6 months ago

"distrust after" shouldn't apply to third-party roots

Categories

(Core :: Security: PSM, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
131 Branch
Tracking Status
firefox131 --- fixed

People

(Reporter: keeler, Assigned: keeler)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

For our built-in roots, we have a "distrust after" feature where we can phase out roots that are no longer trustworthy by not trusting certificates with a notBefore value after the distrust after time. However, for organizations that aren't agile enough to migrate away from the affected root in time, this can cause issues. The proposed workaround is to allow such organizations to import the affected roots as third-party certificates, which would then not be subject to the built-in distrust after restriction.

Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/967df32a1155 built-in distrust after shouldn't apply to third-party roots r=jschanck
Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → 131 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: