nss-{email, server}-distrust-after values ignored when generating certificate bundles

Jeffrey Walton noloader at gmail.com
Mon Dec 19 05:15:18 UTC 2022

On Sun, Dec 18, 2022 at 11:59 PM DJ Lucas <dj at linuxfromscratch.org> wrote:
> Given the attached anchor, this certificate is still showing up in my
> P11-kit generated bundles for OpenSSL and GNUTLS. I believe this to be
> broken behavior, but figured I post here first to make certain that the
> trust utility is intended to honor the nss-*-distrust-after flag.
> [...]

For completeness, this message is about TrustCor.

Here's the public discussion on Mozilla's dev-security-policy mailing
list: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/etbBho-VBQAJ
. The discussion led to the removal of TrustCor from the Chrome and
Mozilla CA Root programs. Microsoft had previously removed TrustCor
from the Windows CA Root program.


More information about the p11-glue mailing list