Changes

CA/Additional Trust Changes

719 bytes removed, 12:55, 1 February 2018

Remove CNNIC - now gone from NSS

While not technically a modification to the root store as we don't use it for un-trusting roots, Mozilla's [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL] system is used for communicating information about the revocation of intermediate certificates (and high-profile misissued end-entity certificates) to Firefox clients.

~~==CNNIC==~~

Mozilla [https://blog.mozilla.org/security/files/2015/04/CNNIC-MCS.pdf currently recommends] not trusting any certificates issued by this CA after 1st April 2015. This covers two roots in our store - "CNNIC ROOT" and "China Internet Network Information Center EV Certificates Root". We have a [https://dxr.mozilla.org/mozilla-central/source/security/certverifier/CNNICHashWhitelist.inc whitelist of older certificates], and tools to generate it. The code implementing this restriction is [https://dxr.mozilla.org/mozilla-central/source/security/certverifier/NSSCertDBTrustDomain.cpp#753 in the Mozilla platform security code (PSM)], which is shared by the Mozilla applications (Firefox, Thunderbird, etc.).

==ANSSI==

Gerv

Accountapprovers, antispam, confirm, emeritus

4,925

edits

Changes

CA/Additional Trust Changes

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

How to Contribute

MozillaWiki

Around Mozilla

Tools