alex
commented
4 days ago Thanks Andrew. https://github.com/Lukasa/mkcert/pull/20 should address this.
Open AGWA opened 6 days ago
alex
commented
4 days ago Thanks Andrew. https://github.com/Lukasa/mkcert/pull/20 should address this.
AGWA
commented
4 days ago Nice idea to exclude the root 398 days after the Distrust After!
When parsing certdata.txt, mkcert excludes roots whose
CKA_NSS_SERVER_DISTRUST_AFTERtime is after the current time.This is incorrect behavior.
CKA_NSS_SERVER_DISTRUST_AFTERis supposed to be compared against the leaf certificate's NotBefore time, not the current time:Source
See also https://bugzilla.mozilla.org/show_bug.cgi?id=1618404 and https://bugzilla.mozilla.org/show_bug.cgi?id=1621159
Mozilla intends to set the
CKA_NSS_SERVER_DISTRUST_AFTERdate of Entrust roots to November 30, 2024. mkcert's current behavior will cause consumers of mkcert to reject Entrust certificates that Firefox would have accepted, causing breakage that Mozilla did not intend.Instead, mkcert should just ignore the
CKA_NSS_SERVER_DISTRUST_AFTERdate. Although this would cause consumers of mkcert to accept certificates that Firefox would have rejected, in practice this is not any less secure than Firefox. This is because roots with aCKA_NSS_SERVER_DISTRUST_AFTERdate still have the ability to issue new certificates that are accepted by Firefox, by simply backdating the certificate's NotBefore date. The point ofCKA_NSS_SERVER_DISTRUST_AFTERis not to provide security from an untrustworthy root, but to gracefully sunset trust in a root. When Mozilla addsCKA_NSS_SERVER_DISTRUST_AFTERto a root, they're not saying that certificates issued after that date are untrustworthy. Instead, they are saying that they would like to remove the root at some point in the future. Combined with enforcement of the 398 day maximum certificate lifetime,CKA_NSS_SERVER_DISTRUST_AFTERensures that all certificates issued by a root are expired 398 days after theCKA_NSS_SERVER_DISTRUST_AFTERdate, allowing for the root's removal without breakage. Consequentially, it is appropriate for mkcert to ignoreCKA_NSS_SERVER_DISTRUST_AFTERand wait for Mozilla to fully remove the root.