[gnutls-devel] GnuTLS | p11-kit-trust: investigate whether CKA_NSS_{SERVER, EMAIL}_DISTRUST_AFTER can be used (#912)

Read-only notification of GnuTLS library development activities gnutls-devel at lists.gnutls.org
Sat Feb 25 01:49:57 CET 2023

Daiki Ueno commented:

The expected behavior is precisely documented at https://wiki.mozilla.org/CA/Additional_Trust_Changes#Distrust_After:

> For some root certificates Mozilla has set 'Distrust for TLS After Date' or 'Distrust for S/MIME After Date'. For certificates chaining up to those root certificates, Mozilla does not trust end-entity certificates that have a Valid-From date later than the specified distrust-after date. Certificates with a Valid-From date earlier than the distrust-after date will continue to be trusted until the certificate's natural expiration or until the certificate is revoked.

I guess that would translate to:
- obtain any CKA_NSS_SERVER_DISTRUST_AFTER attribute when retrieving issuer certificate (maybe store it in a private field of `struct gnutls_x509_crt_int`)
- compare issuer's distrust-after date with the one retrieved with `gnutls_x509_crt_get_activation_time`

Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/-/issues/912#note_1292194022
You're receiving this email because of your account on gitlab.com.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20230225/cd23ec16/attachment.html>

More information about the Gnutls-devel mailing list