Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CKA_NSS_SERVER_DISTRUST_AFTER is not handled properly #19

Open
AGWA opened this issue Nov 11, 2024 · 2 comments
Open

CKA_NSS_SERVER_DISTRUST_AFTER is not handled properly #19

AGWA opened this issue Nov 11, 2024 · 2 comments

Comments

@AGWA
Copy link

AGWA commented Nov 11, 2024

When parsing certdata.txt, mkcert excludes roots whose CKA_NSS_SERVER_DISTRUST_AFTER time is after the current time.

This is incorrect behavior. CKA_NSS_SERVER_DISTRUST_AFTER is supposed to be compared against the leaf certificate's NotBefore time, not the current time:

If a builtin certificate has a CKA_NSS_SERVER_DISTRUST_AFTER timestamp before the SCT or NotBefore date of a certificate that builtin issued, then clients can elect not to trust it.

Source

See also https://bugzilla.mozilla.org/show_bug.cgi?id=1618404 and https://bugzilla.mozilla.org/show_bug.cgi?id=1621159

Mozilla intends to set the CKA_NSS_SERVER_DISTRUST_AFTER date of Entrust roots to November 30, 2024. mkcert's current behavior will cause consumers of mkcert to reject Entrust certificates that Firefox would have accepted, causing breakage that Mozilla did not intend.

Instead, mkcert should just ignore the CKA_NSS_SERVER_DISTRUST_AFTER date. Although this would cause consumers of mkcert to accept certificates that Firefox would have rejected, in practice this is not any less secure than Firefox. This is because roots with a CKA_NSS_SERVER_DISTRUST_AFTER date still have the ability to issue new certificates that are accepted by Firefox, by simply backdating the certificate's NotBefore date. The point of CKA_NSS_SERVER_DISTRUST_AFTER is not to provide security from an untrustworthy root, but to gracefully sunset trust in a root. When Mozilla adds CKA_NSS_SERVER_DISTRUST_AFTER to a root, they're not saying that certificates issued after that date are untrustworthy. Instead, they are saying that they would like to remove the root at some point in the future. Combined with enforcement of the 398 day maximum certificate lifetime, CKA_NSS_SERVER_DISTRUST_AFTER ensures that all certificates issued by a root are expired 398 days after the CKA_NSS_SERVER_DISTRUST_AFTER date, allowing for the root's removal without breakage. Consequentially, it is appropriate for mkcert to ignore CKA_NSS_SERVER_DISTRUST_AFTER and wait for Mozilla to fully remove the root.
alex added a commit to alex/mkcert that referenced this issue Nov 13, 2024
@alex
fixes Lukasa#19 -- correct handle certificate distrust date
bbd91ec 
It is the date after which certificates issued by this root should not be trusted, not the date the root itself becomes untrusted for all certs.
@alex
Copy link

alex commented Nov 13, 2024

Thanks Andrew. #20 should address this.

@AGWA
Copy link
Author

AGWA commented Nov 13, 2024

Nice idea to exclude the root 398 days after the Distrust After!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@alex @AGWA