JanCteward: well, I think Mozilla/Microsoft only stopped accepting certificates signed after a certain date, for now?00:09
tewardthey may have, but since our Firefox isn't up to date (22.04 was juuuuust before the snap switchover for Firefox because all the flavors pushed hard back about a last second switch at final freeze to Snap right before release) I don't think that has been put into the updates00:10
tewardeither way, I have no problem disallowing a CA that's going to be yoinked anyways.00:10
JanCoh, I disabled those certs too (not just in ca-certs, but in Firefox too)00:15
JanCideally all OS makers/distributors would agree to remove it so that there can be no excuses  :)00:23
tewardbut also ideally00:23
JanCalso ideally it would never have been added  :)00:23
tewardall browsers would be allowed to refer to $SYSTEM_CERT_STORE instead of individual keyrings (Firefox, Chrome, Edge, etc. all keep their own even on Linux, while they let Windows versions refer to the system cert store)00:23
tewardJanC: accurate00:24
tewardbut also my last statement00:24
teward(accidentally poked the enter key)00:24
JanCis there a system store with all the same features on linux?00:25
tewardunfortunately no.  but you can 'hack' it for a cert trust store by using ca-certificates00:25
tewardmy point being it'd be nice to *not* have to manually adjust 3 separate locations (ca-certs, Firefox, Chrome) and have something capable of editing them all00:26
JanCfrom what I understood, ca-certificates can't express "trust only for certificates signed before N"00:26
JanCit should be possible to implement something central like that, of course00:26
tewardJanC: technically speaking, neither can Firefox or Chrome on their own, without code level changes.  but something centralized would be *nice* to have that00:26
teward(Windows is unique in that they don't do a ton of RFC-compliant stuff even in their own cert authority systems so)00:26
teward(no seriously they aren't RFC compliant even in default templates and stuff xD)00:27
tewardbut i digres00:27
tewardas long as I can make my internal network PKI trusted on everything that's all I care about (private PKI cert chain and stuff)00:27
JanCI wonder if you could implement using system certificates in Firefox with a "security device plugin"00:32
JanCincluding system CA certificates?00:34

Generated by irclog2html.py 2.7 by Marius Gedminas - find it at mg.pov.lt!