Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: None
Affects Version/s: rhel-9.0.0
Component/s: gnutls
Labels:
- MigratedToJIRA
- Triaged

Regression:
None
Severity:
Low

Pool Team:

rhel-sst-security-crypto
Sub-System Group:

ssg_security

Story Points:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Product Documentation Required:
None
Sprint:
None

Preliminary Testing:
None
Test Coverage:
None

Release Note Type:
If docs needed, set a value

Experience:
Architecture:

Unspecified
Bugzilla Bug:
RHBZ: 2179704

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Planning:
None

In 2019, a mechanism has been added to NSS to assert time-based distrust of CA certificates through special PKCS#11 attribute values: CKA_NSS_

{SERVER,EMAIL}

_DISTRUST_AFTER, which forbid the use of certificates issued by the CA after that time:
https://wiki.mozilla.org/CA/Additional_Trust_Changes#Distrust_After

Since then these attributes are being used for CAs such as TrustCor:
https://bugzilla.mozilla.org/show_bug.cgi?id=1803453

As GnuTLS also uses PKCS#11 trust store, it should respect these attributes and distrust the certificates based on that information.

external trackers

Gitlab gnutls/gnutls/-/merge_requests/1725

Red Hat Issue Tracker CRYPTO-10146

Red Hat Issue Tracker RHELPLAN-152265

Assignee:: Daiki Ueno

Reporter:: Daiki Ueno

Developer:: Daiki Ueno

QA Contact:: SSG Security QE

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2023/09/20 11:03 AM

Updated:: 2024/09/30 9:31 PM