Confirm, administrator
5,526
edits
Changes
Added section about distrust-after dates
While not technically a modification to the root store as we don't use it for un-trusting roots, Mozilla's [https://blog.mozilla.org/security/2015/03/03/revoking-intermediate-certificates-introducing-onecrl/ OneCRL] system is used for communicating information about the revocation of intermediate certificates (and high-profile misissued end-entity certificates) to Firefox clients.
==Distrust After==
For some root certificates Mozilla has set 'Distrust for TLS After Date' or 'Distrust for S/MIME After Date'. For certificates chaining up to those root certificates, Mozilla does not trust end-entity certificates that have a Valid-From date later than the specified distrust-after date. Certificates with a Valid-From date earlier than the distrust-after date will continue to be trusted until the certificate's natural expiration or until the certificate is revoked.
These root certificates may be identified via the 'Included CA Certificates' reports on the [[CA/Included_Certificates|CA/Included Certificates wiki page]]. Within those reports look for dates in the 'Distrust for TLS After Date' and 'Distrust for S/MIME After Date' columns.
==ANSSI==
