GLOBALTRUST 2020's reinclusion in Mozilla's trusted certificates
499 views
Skip to first unread message
Mike Benza
Jan 10, 2025, 11:48:38 AMJan 10
to dev-secur...@mozilla.org
Hello,
I was recently reviewing a PR that upgraded an Elixir project's dependencies and noticed that "GLOBALTRUST 2020" was trusted again in November after being removed in July. (The priv/cacerts.pem file in those PRs is generated by running https://raw.githubusercontent.com/curl/curl/master/scripts/mk-ca-bundle.pl).
A curl to https://hg.mozilla.org/projects/nss/raw-file/default/lib/ckfw/builtins/certdata.txt shows "GLOBALTRUST 2020." I admittedly don't know nearly enough about certs to tell whether there's something there saying the cert shouldn't be trusted, but I was spooked by the cert's return.
Can someone help me understand what's going on?
Andrew Ayer
Jan 10, 2025, 12:13:51 PMJan 10
to Mike Benza, dev-secur...@mozilla.org
Hi Mike,
GLOBALTRUST was never removed from the Mozilla root store. Rather, it was tagged with a "Distrust After" date which instructs Firefox to distrust certificates whose Not Before date is after the root's Distrust After date. This is not a security measure (since backdating certificates is trivial), but rather a mechanism to gracefully sunset a root so it can be removed without causing problems 398 days later.
However, Curl's mk-ca-bundle.pl script was incorrectly interpreting the Distrust After date <https://github.com/curl/curl/issues/15547>, causing GLOBALTRUST to be incorrectly excluded. Once that bug was fixed, mk-ca-bundle.pl began emitting GLOBALTRUST again.
There are several reasons why this is unsatisfying. To begin with, Mozilla should not be trusting a CA like GLOBALTRUST _at all_, a point that I and others raised last year <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI/m/j76_U_fMAAAJ>. Second, root constraints like Distrust After would ideally be propagated in the PEM bundle through to certificate validators instead of being dropped by mk-ca-bundle.pl, but there is no widely-supported mechanism for this at the moment. For more background, see https://sslmate.com/blog/post/entrust_distrust_more_disruptive_than_intended
Regards,
Andrew
GLOBALTRUST was never removed from the Mozilla root store. Rather, it was tagged with a "Distrust After" date which instructs Firefox to distrust certificates whose Not Before date is after the root's Distrust After date. This is not a security measure (since backdating certificates is trivial), but rather a mechanism to gracefully sunset a root so it can be removed without causing problems 398 days later.
However, Curl's mk-ca-bundle.pl script was incorrectly interpreting the Distrust After date <https://github.com/curl/curl/issues/15547>, causing GLOBALTRUST to be incorrectly excluded. Once that bug was fixed, mk-ca-bundle.pl began emitting GLOBALTRUST again.
There are several reasons why this is unsatisfying. To begin with, Mozilla should not be trusting a CA like GLOBALTRUST _at all_, a point that I and others raised last year <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/XpknYMPO8dI/m/j76_U_fMAAAJ>. Second, root constraints like Distrust After would ideally be propagated in the PEM bundle through to certificate validators instead of being dropped by mk-ca-bundle.pl, but there is no widely-supported mechanism for this at the moment. For more background, see https://sslmate.com/blog/post/entrust_distrust_more_disruptive_than_intended
Regards,
Andrew
Mike Benza
Jan 10, 2025, 12:24:48 PMJan 10
to dev-secur...@mozilla.org, Andrew Ayer, dev-secur...@mozilla.org, Mike Benza
Andrew,
That explains everything -- I didn't see the issue in curl you reported, nor did I understand the meaning of "Distrust After." Thank you.
- Mike
Jeffrey Walton
Jan 10, 2025, 5:51:29 PMJan 10
to dev-secur...@mozilla.org, Andrew Ayer, dev-secur...@mozilla.org, Mike Benza
The thread was forwarded to the curl-library mailing list at <https://curl.se/mail/lib-2025-01/0018.html>.
Jeff
Reply all
Reply to author
Forward
0 new messages