Description
I did this
No response
I expected the following
When parsing certdata.txt, mk-ca-bundle.pl excludes roots whose CKA_NSS_SERVER_DISTRUST_AFTER time is after the current time.
This is incorrect behavior. CKA_NSS_SERVER_DISTRUST_AFTER is supposed to be compared against the leaf certificate's NotBefore time, not the current time:
If a builtin certificate has a CKA_NSS_SERVER_DISTRUST_AFTER timestamp before the SCT or NotBefore date of a certificate that builtin issued, then clients can elect not to trust it.
See also https://bugzilla.mozilla.org/show_bug.cgi?id=1618404 and https://bugzilla.mozilla.org/show_bug.cgi?id=1621159
Mozilla intends to set the CKA_NSS_SERVER_DISTRUST_AFTER date of Entrust roots to November 30, 2024. mk-ca-bundle.pl's current behavior will cause consumers of mk-ca-bundle.pl to reject Entrust certificates that Firefox would have accepted, causing breakage that Mozilla did not intend.
Instead, mk-ca-bundle.pl should just ignore the CKA_NSS_SERVER_DISTRUST_AFTER date. Although this would cause consumers of mk-ca-bundle.pl to accept certificates that Firefox would have rejected, in practice this is not any less secure than Firefox. This is because roots with a CKA_NSS_SERVER_DISTRUST_AFTER date still have the ability to issue new certificates that are accepted by Firefox, by simply backdating the certificate's NotBefore date. The point of CKA_NSS_SERVER_DISTRUST_AFTER is not to provide security from an untrustworthy root, but to gracefully sunset trust in a root. When Mozilla adds CKA_NSS_SERVER_DISTRUST_AFTER to a root, they're not saying that certificates issued after that date are untrustworthy. Instead, they are saying that they would like to remove the root at some point in the future. Combined with enforcement of the 398 day maximum certificate lifetime, CKA_NSS_SERVER_DISTRUST_AFTER ensures that all certificates issued by a root are expired 398 days after the CKA_NSS_SERVER_DISTRUST_AFTER date, allowing for the root's removal without breakage. Consequentially, it is appropriate for mk-ca-bundle.pl to ignore CKA_NSS_SERVER_DISTRUST_AFTER and wait for Mozilla to fully remove the root.
curl/libcurl version
N/A
operating system
N/A
Metadata
Metadata
Assignees
Type
Projects
Milestone
Relationships
Participants
Activity
mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions
mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions
noloader commentedon Feb 7, 2025
Sorry to bring up an old issue. It looks like mk-ca-bundle.pl parses Mozilla's
certdata.txtdirectly, and Mozilla does not recommend that path.According to Mozilla at Correctly Using Mozilla's Root Store:
Following Mozilla's advice may help with the problems like DistrustAfter creates for for projects; and CA's that are no longer in the Root CA program, like Entrust and GlobalTrust.
noloader commentedon Feb 8, 2025
@AGWA,
I don't think the analysis is quite correct. Entrust is still issuing certificates. Firefox will reject them, while cURL will accept them, due to DistrustAfter. See https://crt.sh/?Identity=%25&iCAID=1671. (I think your analysis would have been more accurate if Entrust stopped issuing certificates).
bagder commentedon Feb 8, 2025
Feel free to improve the ca bundle generation.
AGWA commentedon Feb 8, 2025
@noloader which part of my analysis is incorrect? I explicitly said that curl (and other users of this script) would accept certificates that Firefox would reject.
As to your point about parsing certdata.txt, it's true that mk-ca-bundle.pl could be replaced with just
curl https://ccadb.my.salesforce-sites.com/mozilla/IncludedRootsPEMTxt?TrustBitsInclude=Websites. But this doesn't magically make Distrust After work. Note that the CCADB bundle includes Entrust and GLOBALTRUST, because these roots are still part of the Mozilla root store, so it's not clear what you think would be accomplished by consuming the CCADB bundle instead of parsing certdata.txt.mk-ca-bundle: remove CKA_NSS_SERVER_DISTRUST_AFTER conditions