undefined | Better HN

0 pointscm21875y ago0 comments

But what about Chromium and Mozilla?

0 comments

if (verify_result->is_issued_by_known_root && HasTooLongValidity(*cert)) { verify_result->cert_status |= CERT_STATUS_VALIDITY_TOO_LONG;

Chromium's code (linked as the story) only applies these rules to certificates from the Web PKI, not to a private CA.

Mozilla has no checks, I presume the story title names them because they've agreed on this policy but they don't actually enforce policy in the browser code itself.

Or at least they didn't when I asked them months ago about this topic.

GordonS5y ago

> verify_result->is_issued_by_known_root

Let's take Windows as an example, as it has a root certificate store. Now, if I operate a private CA, I install my private root certificate to the root certificate store - does that make it a "known_root" for Chromium, or does this check only cover a specific set of known-to-Chromium CAs?

lvh5y ago

Generally speaking locally installed certs have been exempted from most of the requirements levied on public certificates.

j / k navigate · click thread line to collapse