This commit update the CCADB codegen to consider any root CA with a distrust for TLS after date as not trusted, irrespective of the distrust date.
The rustls/webpki ecosystem this crate supports does not have the capability to enforce a "active distrust" of a TLS trust anchor in the Mozilla root program that has a "Distrust for TLS After Date" date in CCADB. Given this constraint we choose to remove roots immediately when they are given a distrust after date. This is more aggressive than the Mozilla root program but requires no new features implemented in downstream crates. Users needing more nuanced root program enforcement should consider using the rustls-platform-verifier crate.
This commit update the CCADB codegen to consider any root CA with a distrust for TLS after date as not trusted, irrespective of the distrust date.
The rustls/webpki ecosystem this crate supports does not have the capability to enforce a "active distrust" of a TLS trust anchor in the Mozilla root program that has a "Distrust for TLS After Date" date in CCADB. Given this constraint we choose to remove roots immediately when they are given a distrust after date. This is more aggressive than the Mozilla root program but requires no new features implemented in downstream crates. Users needing more nuanced root program enforcement should consider using the rustls-platform-verifier crate.
Updates https://github.com/rustls/webpki-roots/issues/72 (not yet closing, because the CCADB distrust after date hasn't landed to regenerate/remove the root)