On Fri, Feb 7, 2025 at 8:44 AM Jeffrey Walton <[email protected]> wrote:
> I think the CA/BF handled this poorly when it used DistrustAfter to > address the problem. The CA/BF introduced non-standard extensions to > something that it claims is a subset or profile of RFC 5280. And I > have not seen work on getting it standardized. (Corrections, please). I have no particular comment about how this distrust incident was handled, but do have some technical notes here. And a disclaimer that these are my own opinions, not that of my employer. The "distrust after" dates are specific to root programs like Mozilla, and not a CA/B Forum thing at all. There's no "non-standard extensions" ... because there's no extensions at all. It is not represented in X509, or in any format beyond Mozilla's internal ones. The fact that Linux distributions and other software like Alpine and curl are "copying Mozilla's homework" and not getting the full metadata is a problem, but I don't think the fault lies at Mozilla's feet here. Linux is a bit unique in that it doesn't really have a "platform verifier" in the way other OSes that ship trust stores do, so it's difficult to enforce changes in code. I think there's a series of other related problems (like sharing OCSP/CRL caches, for example) that also happen as a result of this situation. I do think Linux likely needs some sort of platform verifier, but given the state of the current software world, I'm not sure how we get from here to there. Perhaps a new systemd component, or other IPC service that can act as a validator, or just perhaps a standardized root store format with more metadata than a bundle of PEM gets you. -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAKh5S0YmSTwEpZ2Fm%2BkGErkpsnF5TrwRwjeH-PDiApY%2Bg-1cjA%40mail.gmail.com.
