top | item 33880022

(no title)

mdeslaur | 3 years ago

> where Ubuntu just unilaterally reverted Mozilla’s removal of a cert in their package, because it was breaking nuget… Note that this was early 2021 — Mozilla removed Symantec from their trust store in October 2018!

Mozilla actually removed the certs from their trust store in February 2021: https://hg.mozilla.org/projects/nss/rev/9718a34c84429b1e5dc6...

Debian and Ubuntu had jumped the gun by a few weeks and there were certificates still being used that had not been renewed yet, so we had to revert temporarily.

Mozilla had used the CKA_NSS_SERVER_DISTRUST_AFTER tag with a date to specify newer certs issued by that CA were not valid, but as the article above states, the crypto libraries being used in Linux don't support that kind of thing.

discuss

jamespwilliams|3 years ago

My mistake, I misread “Removal/distrust” in the timeline of https://wiki.mozilla.org/CA/Symantec_Issues as meaning removal from the trust store.

I can’t edit my comment now, but hopefully your correction here gets upvoted and is visible to people.