Closed Bug 712615 Opened 13 years ago Closed 5 years ago

Support date-based root invalidation/untrusting

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1465613

People

(Reporter: gerv, Unassigned)

Details

NSS needs a mechanism such that a certificate in the store can be labelled with "do not trust this certificate if any certificate below it in the chain was issued after date X".

This would allow us to disable a root from a certain date (e.g. the date of a compromise) rather than disabling it completely. This gives us a much more surgical tool for dealing with CA compromises than "break the web by pulling the root entirely".

It could be a single flag on a certificate (do not trust for any purpose); we do not need the ability to set this on a per-use-type basis (SSL, code signing, etc.).

Gerv
Status: NEW → RESOLVED
Closed: 5 years ago
QA Contact: jjones
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.