Confirm, administrator
5,526
edits
Changes
Added February 2020 update
==Symantec==
In accordance [https://groups.google.com/d/topic/mozilla.dev.security.policy/FLHRT79e3XE/discussion with the consensus proposal that was adopted in 2017], Mozilla began to distrust Symantec (including GeoTrust, RapidSSL, and Thawte) certificates issued before 1-June 2016 starting in Firefox 60, and plans to distrust Symantec certificates regadless regardless of the date of issuance starting in Firefox 64, unless they are issued by whitelisted subordinate CAs that have the following SHA-256 Subject Public Key hashes (subjectPublicKeyInfo):
Apple:<br />
In a future Firefox release, we expect to remove the whitelist, and remove the ‘websites’ trust bit from all Symantec roots. The timing of these changes, and any changes to the ‘email’ trust bit (S/MIME) have not yet been determined.
<br /> <br />
'''Update February 2020:'''
<br />
There is a [https://bugzilla.mozilla.org/show_bug.cgi?id=1465613 new Distrust-After capability] available in [https://hg.mozilla.org/releases/mozilla-beta/file/tip/security/nss/lib/ckfw/builtins/certdata.txt certdata.txt] that is going to be enforced in Firefox and Thunderbird, so the following Bugzilla bugs were filed to use this capability. This update was [https://groups.google.com/d/msg/mozilla.dev.security.policy/WpJiD14tiXc/2Waf17XCFQAJ described in the mozilla.dev.security.policy forum].
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1618404 Symantec root certs - Set CKA_NSS_SERVER_DISTRUST_AFTER]
** Setting CKA_NSS_SERVER_DISTRUST_AFTER to the specified dates distrusts TLS certs that have “Valid From” newer than the specified date. TLS certificates issued prior to this date will continue to be trusted until the certificate’s natural expiration or until we disable the trust bit or remove the root.
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1618407 Symantec root certs - Set CKA_NSS_EMAIL_DISTRUST_AFTER]
** Setting CKA_NSS_EMAIL_DISTRUST_AFTER to the specified dates distrusts S/MIME certs that have “Valid From” newer than the specified date. S/MIME certificates issued prior to this date will continue to be trusted until the certificate’s natural expiration or until we disable the trust bit or remove the root.
