forked from agl/extract-nss-root-certs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
server_auth_trust_values.txt
88 lines (57 loc) · 3.3 KB
/
server_auth_trust_values.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
Notes on the meanings of attribute values in the NSS root store
================================================================================
According to a mail by wtc from 10/10/11,
https://groups.google.com/d/msg/mozilla.dev.tech.crypto/ZP3Kn84VBfA/_ozb5TvRLkcJ
CKA_TRUST_SERVER_AUTH
CKA_TRUST_EMAIL_PROTECTION
CKA_TRUST_CODE_SIGNING
are the "trust bits" that each correspond to one purpose and may take
different values.
In 10/2011, these were (I quote from the above mail):
- CKT_NSS_TRUSTED_DELEGATOR: CA is trusted for that purpose.
- CKT_NSS_TRUST_UNKNOWN: this means the CA is not trusted for that
purpose, but is trusted for some other purpose.
- CKT_NSS_NOT_TRUSTED: this means the certificate (which may not be a
CA) is explicitly distrusted.
Furthermore:
"Note: I recommend that the scripts assert that these attributes only
have these three values, so that it can detect when this assumption is
no longer true." - this is absolutely true, and the root store meaning
have changed over time, too.
wtc finishes:
"The scripts must exclude the certificates whose trust objects contain
CKT_NSS_NOT_TRUSTED in any of the CKA_TRUST_SERVER_AUTH,
CKA_TRUST_EMAIL_PROTECTION, and CKA_TRUST_CODE_SIGNING attributes."
================================================================================
In my own analysis, I found the following for earlier versions of the
root store (decision whether to ignore or trust at the end of each
line):
# trust string; earliest; last; meaning changed; constant meaning; comment
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED; 1.1; 1.3; unlikely; used for test certs; IGNORE
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUSTED_DELEGATOR; 1.4; 1.73; unlikely; trust; TRUST
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_TRUST_UNKNOWN; 1.41; 1.73; unlikely; unknown; IGNORE?
-> replaces CKT_NETSCAPE_VALID from 1.41 on!
-> fetch revision and find out what code does
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_UNTRUSTED; 1.51; 1.73
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID; 1.4; 1.73; unlikely; valid CA, but not trusted for purpose; IGNORE
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NETSCAPE_VALID_DELEGATOR; 1.16; 1.16; no; used for USPS; intermediate only used once, Bug https://bugzilla.mozilla.org/show_bug.cgi?id=126653 IGNORE? -> fetch revision and find out what code does
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_MUST_VERIFY_TRUST; 1.81; _ ; unlikely ; unknown; IGNORE? -> find out what code does
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_NOT_TRUSTED; 1.74; _ ; unlikely ; explicit distrust; DISTRUST
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUSTED_DELEGATOR; 1.74; _ ; unlikely ; trust; TRUST
CKA_TRUST_SERVER_AUTH CK_TRUST CKT_NSS_TRUST_UNKNOWN; 1.74; 1.83; unlikely; unknown; introduced and stopped IGNORE?
-> replaces CKT_NETSCAPE_TRUST_UNKNOWN from 1.74 on!
-> fetch rev and find out what code does
CKA_TRUST_SERVER_AUTH CK_TRUST HTONL(CKT_NETSCAPE_TRUSTED); 1.2; 1.2; no ; used for test certs; IGNORE
The purpose of the valid flags seems to be to display the CA in different tabs
in the certificate manager.
TRUST as server auth:
CKT_NETSCAPE_TRUSTED_DELEGATOR
CKT_NSS_TRUSTED_DELEGATOR
IGNORE:
CKT_NETSCAPE_TRUSTED
CKT_NETSCAPE_VALID
HTONL(CKT_NETSCAPE_TRUSTED)
DISTRUST:
CKT_NSS_NOT_TRUSTED
UNKNOWN_TRUST:
CKT_NETSCAPE_VALID -> CKT_NETSCAPE_TRUST_UNKNOWN (1.41) -> CKT_NSS_TRUST_UNKNOWN (1.74)