Package: ca-certificates Followup-For: Bug #911289 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
I think this comment[0] leads me to the place where the Symantec distrust is implemented. And it's not in NSS itself, but in browsers themselves [1, 2]. I don't know where this leaves ca-certficiates. For the time being, the certificates blacklisted by browsers can be blacklisted in ca-certificates itself. But in general a simple whitelist of trusted certificate authorities is no longer sufficient. For instance, NSS has the ability[3] to distrust a CA certificate after a particular date. This simply isn't possible to represent in ca-certificates' whitelist. [0] https://bugzilla.mozilla.org/show_bug.cgi?id=1456112#c5 [1] https://github.com/mozilla/gecko-dev/blob/e070fba60fae8411f1f2e2f50bb22d5b86e71679/security/certverifier/NSSCertDBTrustDomain.cpp#L1174 [2] https://github.com/chromium/chromium/blob/2ca8c5037021c9d2ecc00b787d58a31ed8fc8bcb/net/http/transport_security_state_ct_policies.inc#L39 [3] https://bugzilla.mozilla.org/show_bug.cgi?id=1465613 - -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (550, 'stable-updates'), (550, 'stable-debug'), (550, 'stable'), (530, 'testing-debug'), (530, 'testing'), (520, 'unstable-debug'), (520, 'unstable'), (1, 'experimental-debug'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: arm64 Kernel: Linux 5.3.0-2-amd64 (SMP w/2 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages ca-certificates depends on: ii debconf [debconf-2.0] 1.5.71 ii openssl 1.1.1d-0+deb10u2 ca-certificates recommends no packages. ca-certificates suggests no packages. - -- debconf information excluded -----BEGIN PGP SIGNATURE----- iQJGBAEBCAAwFiEEyqqqGsppqDqJKxhV0gtCAlzaJ7kFAl3vlhsSHHNhbUByb2Jv dHMub3JnLnVrAAoJENILQgJc2ie5nnsP/1CCKb9Ke+EXtp3oveLgQSJ2OWUwLXwY bWbbegoH8rMcKn8gz8AA6DVb/uoB3cSFV2qUbP+MvTW70AVoR1W6sxobY8vJSKBJ in3kTX3IpAsKG0BYh00Gn3a9zl2xGH+qd5Lc1Y4EhCkB/LdK2HBzqccCuGxyQIgb 5ZgGoDwRDA/Wwro5XSb1nq4uuP4RgsTm4hY1QUHWwKzqIIhofsAHlXG7CAINO7RA w6t7eBn1BTDQVehWBLfbP1ec70uyuoEevOppxzQUnj/cFc9vWeExLHW3uD1I5dt9 x5Ee+dgPxtENRokXzDOj1r9f9CIzI3fdZR2nzf07puiX0YnwyDYenJKQYrLjAVhr RXbAc5D6GavQFtYKqZhvuYDCLJ4NTphbd0JDps+3JQBPlbtoigP6uSztPGDh1cEc EhMIwRGzrwbgvbVHGTtFU1rLnVQzBRk6c0N+8rMXISVCvRlJ6pWoq8T4v5iSegv5 xhZxHF6EAn4jdgXF/Fr0qlwXMPVC/pmpAj7LYGC/aXDXIHu5pmZHnAE0Hix951Ug ty2xXTx+VFJS6L7KiTbhQoIN0L7lyQAMWl2HsSIE71JLpaohDV5v1CvmNMrjKCzF EopXiuKkUB1zU+9PFfME5ufdfc7Ab25RzKPw9yz8MpIB7zAi7I2Cx+wCah74+aIz zDpt+qpHLoaC =gFUD -----END PGP SIGNATURE-----
