136
edits
Changes
→Symantec: status/plan updates
==Symantec==
In accordance [https://groups.google.com/d/topic/mozilla.dev.security.policy/FLHRT79e3XE/discussion with the consensus proposal that was adopted in 2017], Mozilla plans began to distrust Symantec (including GeoTrust, RapidSSL, and Thawte) certificates issued before 1-June 2016 starting in Firefox 60 , and plans to distrust Symantec certificates regadless of the date of issuance starting in Firefox 64, unless they are issued by whitelisted subordinate CAs that have the following SHA-256 Subject Public Key hashes (subjectPublicKeyInfo):
Apple:<br />
Note: In some instances, multiple subordinate CAs contain the same public key, necessitating whitelisting by subjectPublicKeyInfo. Refer to ([https://bugzilla.mozilla.org/show_bug.cgi?id=1409257 Bug 1409257]) for more information.
The [https://support.mozilla.org/en-US/kb/about-config-editor-firefox Firefox preference] "security.pki.distrust_ca_policy" may be set to '12' to enable distrust (regardless of issuance date) and '0' to override these changes. In Firefox 63, Mozilla plans to remove the ‘before 1-June 2016’ rule and all Symantec TLS certificates will be distrusted except those issued by the whitelisted subordinate CAs listed abovethis preference in Firefox 65.
In a future Firefox release, we expect to remove the whitelist, and remove the ‘websites’ trust bit from all Symantec roots. The timing of these changes, and any changes to the ‘email’ trust bit (S/MIME) have not yet been determined.
