Closed ydroneaud closed 2 years ago
EC-ACC CA certificate shouldn't be trusted for certificate issued after 2019 as noted in https://bugzilla.mozilla.org/show_bug.cgi?id=1621159
With newer cURL's mk-ca-bundle.pl, EC-ACC certificate is ignored on the basis it cannot be used anymore for signing server certificates since 2019, mostly because this policy cannot be expressed in a simple bundle of CA certificates in PEM format.
See https://github.com/curl/curl/pull/8411 in particular https://github.com/curl/curl/pull/8411#issuecomment-1072295360 and following comments.
So CA certificates bundle made available by cURL project at https://curl.se/docs/caextract.html doesn't contain EC-ACC anymore. But the bundle from https://mkcert.org/ still have it.
I believe it should be safe to be as strict as cURL's mk-ca-bundle.pl and have certificate such as EC-ACC being distrusted as the result.
More detail on this CA could be found at https://crt.sh/?CAID=77
Good catch, should be fixed now.
Lukasa
commented
2 years ago
EC-ACC CA certificate shouldn't be trusted for certificate issued after 2019 as noted in https://bugzilla.mozilla.org/show_bug.cgi?id=1621159
With newer cURL's mk-ca-bundle.pl, EC-ACC certificate is ignored on the basis it cannot be used anymore for signing server certificates since 2019, mostly because this policy cannot be expressed in a simple bundle of CA certificates in PEM format.
See https://github.com/curl/curl/pull/8411 in particular https://github.com/curl/curl/pull/8411#issuecomment-1072295360 and following comments.
So CA certificates bundle made available by cURL project at https://curl.se/docs/caextract.html doesn't contain EC-ACC anymore. But the bundle from https://mkcert.org/ still have it.
I believe it should be safe to be as strict as cURL's mk-ca-bundle.pl and have certificate such as EC-ACC being distrusted as the result.
More detail on this CA could be found at https://crt.sh/?CAID=77