On Wednesday, July 26, 2017 at 12:55:06 AM UTC, David E. Ross wrote: > Under the Servers tab for Certificate Manager, I see several root > certificates whose expiration dates have passed. I believe these were > all marked untrusted at one time. For example, I see six DigiNotar > certificates, CNNIC's MCSHOLDING TEST, Equifax's MD5 Collisions, among > others. Is it safe to delete these?
IIRC, Mozilla just likes to keep expired distrust around because it cannot be overridden in the UI, whereas expired or unknown certs might be something a regular user might consider not that big of a deal and click through. In this context @Mozilla: Those additional distrust entries are coming from NSS, but they are all pre-OneCRL afaics. Is this coincidence (= there wasn't any "high-profile" enough distrust warranting nss addition) or has the certdata-based distrust been entirely obsoleted by OneCRL (= there will never be any new distrust entries in certdata)? I'm asking because some/most linux distros consume certdata, and they usually do have some blacklist capability where they put the certdata based distrust, but I don't know of any that parses OneCRL. I guess they all should, right? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
