Closed
Bug 1913802
Opened 6 months ago
Closed 6 months ago
"distrust after" shouldn't apply to third-party roots
Categories
(Core :: Security: PSM, enhancement, P1)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
131 Branch
Tracking | Status | |
---|---|---|
firefox131 | --- | fixed |
People
(Reporter: keeler, Assigned: keeler)
Details
(Whiteboard: [psm-assigned])
Attachments
(1 file)
For our built-in roots, we have a "distrust after" feature where we can phase out roots that are no longer trustworthy by not trusting certificates with a notBefore value after the distrust after time. However, for organizations that aren't agile enough to migrate away from the affected root in time, this can cause issues. The proposed workaround is to allow such organizations to import the affected roots as third-party certificates, which would then not be subject to the built-in distrust after restriction.
![]() |
Assignee | |
Comment 1•6 months ago
|
||
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/967df32a1155
built-in distrust after shouldn't apply to third-party roots r=jschanck
Comment 3•6 months ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 6 months ago
status-firefox131:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 131 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•