Confirm, administrator
5,526
edits
Changes
added info for distrust-after
== Remove or Disable a Root ==
Reasons for removing or disabling a root certificate may include, but are not limited to:
* Security Compromise
* Expired or Expiring CA
* Legacy, no longer in use
* No recent audit
Disabling a Root means one or more of the following:
* Turn off trust bits (Websites, Email)
* Turn off EV Treatment
* Distrust certificates issued after a certain date (Distrust for TLS After, Distrust for S/MIME After)
'''Important:''' Root changes that are motivated by a serious security concern such as a root compromise should be treated as a security-sensitive bug, and a [https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=CA%20Certificate%20Compliance&groups=crypto-core-security secure bug filed in Bugzilla].
#** Product: NSS
#** Component: CA Certificate Root Program
#** Summaryshould be one of: #*** Remove <CN or cert name> root cert#*** Or: Turn off Trust Bit(s) for <CN or cert name> root cert #*** Turn off EV Treatment for <CN or cert name> root cert #*** Set Distrust After for <CN or cert name> root cert
#** Description: Include the following information
#*** Subject/Issuer field values in the root certificate to be changed
