nss-{email, server}-distrust-after values ignored when generating certificate bundles
Jeffrey Walton
noloader at gmail.com
Mon Dec 19 05:15:18 UTC 2022
On Sun, Dec 18, 2022 at 11:59 PM DJ Lucas <dj at linuxfromscratch.org> wrote:
>
> Given the attached anchor, this certificate is still showing up in my
> P11-kit generated bundles for OpenSSL and GNUTLS. I believe this to be
> broken behavior, but figured I post here first to make certain that the
> trust utility is intended to honor the nss-*-distrust-after flag.
> [...]
For completeness, this message is about TrustCor.
Here's the public discussion on Mozilla's dev-security-policy mailing
list: https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/oxX69KFvsm4/m/etbBho-VBQAJ
. The discussion led to the removal of TrustCor from the Chrome and
Mozilla CA Root programs. Microsoft had previously removed TrustCor
from the Windows CA Root program.
Jeff
More information about the p11-glue
mailing list