have method to encode addition trust conditional for root certificates
#24.784 aperta il 3 lug 2024
Metriche repository
- Star
- (30.157 star)
- Metriche merge PR
- (Nessuna PR mergiata in 30 g)
Descrizione
when a root certificate is distrusted by root store, Mozilla was set “Distrust for TLS After Date” which while certificate signed after that date is distrusted, certificate signed before that day will be trusted until its expire. Chrome root store does same thing, but with earliest SCT log date because it's more trusted 3rd party. because current option for CA certificates not support such conditional trust in most distros such certificate keeps full trust on them until such root removed from trust store, 398 days after first browser distrust date. I think there should be some standardization for record such info, and for backward compatibility it'd likely be external format outside of certificate files itself. simple table of spki/last notbefore date allowed/ some other constraint etc?