naumanshah03
commented
4 days ago Hi @lukastribus
Thanks a lot for sharing the resources for the approach followed by Google.
As I read through it if we remove the said Root CAs from trust store then there will be false positive result for certificates issued before 31st October 2024 hence we will come up with the said approach mentioned by Google in https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html
Regards, Nauman Shah
Hello,
Google Chrome implements constrain based CA distrust:
https://source.chromium.org/chromium/chromium/src/+/main:net/cert/root_store.proto;drc=a783c3bab474ff68e675e2753f91c92ca817e072;l=15?q=f:root_store.proto&ss=chromium
which will be used to distrust Entrust Root CA for certificates whose earliest Signed Certificate Timestamp (SCT) is dated after October 31, 2024 (GMT) :
https://security.googleblog.com/2024/06/sustaining-digital-certificate-security.html https://groups.google.com/a/ccadb.org/g/public/c/29CRLOPM6OM/m/-tvW5l-lAAAJ?pli=1
For ssltest I assume it's easier to just remove the Entrust root than it is to implement the same feature.
Thanks in advance