search

rustls / webpki-roots

CA certificates for use with webpki
Apache License 2.0
89 stars 47 forks source link

GLOBALTRUST 2020 CA distrust #72

Closed cpu closed 4 months ago

cpu commented 4 months ago

Mozilla recently announced that they intend to implement an "active distrust" for a trust anchor in the Mozilla root program. In this enforcement model the trust anchor isn't removed entirely, but instead only considered trusted for certificates issued before a drop-dead date:

In light of ECM’s persistent issues, we will be setting “Distrust After” dates for websites and email trust bits associated with ECM’s GLOBALTRUST 2020 root CA, effective June 30, 2024.

We'll need to think about whether we want to do anything special for this CA in this repo. We don't presently have the capability to implement a matching active distrust (see https://github.com/rustls/webpki/issues/259 for discussion of how to implement this). If we take that option off of the table what remains are:

  1. do nothing - wait until mozilla removes the root entirely. This would be subpar in the sense that we allow an underperforming root to continue to pose a risk for longer.
  2. remove it now - this will break certificates issued before June 30th that would otherwise continue working in Mozilla Firefox/NSS. If we want to go this route it would be prudent to try and cook up a Censys query to see how many unexpired EE certs chain to this root. I suspect it's not very many (?). We'll also need to update our codegen tooling to allow this.
  3. remove it after June 30th + $LONGEST_ALLOWED_EE_LIFETIME - (presumably this is when mozilla will remove the root themselves, so may be equivalent to option 1)
djc commented 4 months ago

I'm in favor of ditching it early (both before and after reading the discussion in the webpki issue).

cpu commented 4 months ago

If we want to go this route it would be prudent to try and cook up a Censys query to see how many unexpired EE certs chain to this root. I suspect it's not very many (?)

From Ctz on the other ticket:

According to https://crt.sh/cert-populations (they are listed as "e-commerce monitoring GmbH") this is 137 unexpired certificates.

cpu commented 4 months ago

Tooling changes are in-place, just waiting for CCADB data to reflect the distrust after date. I think that's waiting on NSS to land the change (phabricator PR).

cpu commented 4 months ago

I think that's waiting on NSS to land the change (phabricator PR).

The NSS change landed Friday. I pinged the CCADB folks and the distrust after date was updated this morning:

$> curl \
  --location https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReportPEMCSV 2>/dev/null | \
     csvtool namedcol "Common Name or Certificate Name,Distrust for TLS After Date" - |\
        grep -v ",$"
Common Name or Certificate Name,Distrust for TLS After Date
GLOBALTRUST 2020,2024.06.30

Opened https://github.com/rustls/webpki-roots/pull/74