[00:09] <JanC> teward: well, I think Mozilla/Microsoft only stopped accepting certificates signed after a certain date, for now?
[00:10] <teward> they may have, but since our Firefox isn't up to date (22.04 was juuuuust before the snap switchover for Firefox because all the flavors pushed hard back about a last second switch at final freeze to Snap right before release) I don't think that has been put into the updates
[00:10] <teward> either way, I have no problem disallowing a CA that's going to be yoinked anyways.
[00:15] <JanC> oh, I disabled those certs too (not just in ca-certs, but in Firefox too)
[00:23] <JanC> ideally all OS makers/distributors would agree to remove it so that there can be no excuses  :)
[00:23] <teward> yup
[00:23] <teward> but also ideally
[00:23] <JanC> also ideally it would never have been added  :)
[00:23] <teward> all browsers would be allowed to refer to $SYSTEM_CERT_STORE instead of individual keyrings (Firefox, Chrome, Edge, etc. all keep their own even on Linux, while they let Windows versions refer to the system cert store)
[00:24] <teward> JanC: accurate
[00:24] <teward> but also my last statement
[00:24] <teward> (accidentally poked the enter key)
[00:25] <JanC> is there a system store with all the same features on linux?
[00:25] <teward> unfortunately no.  but you can 'hack' it for a cert trust store by using ca-certificates
[00:26] <teward> my point being it'd be nice to *not* have to manually adjust 3 separate locations (ca-certs, Firefox, Chrome) and have something capable of editing them all
[00:26] <JanC> from what I understood, ca-certificates can't express "trust only for certificates signed before N"
[00:26] <JanC> it should be possible to implement something central like that, of course
[00:26] <teward> JanC: technically speaking, neither can Firefox or Chrome on their own, without code level changes.  but something centralized would be *nice* to have that
[00:26] <teward> (Windows is unique in that they don't do a ton of RFC-compliant stuff even in their own cert authority systems so)
[00:27] <teward> (no seriously they aren't RFC compliant even in default templates and stuff xD)
[00:27] <teward> but i digres
[00:27] <teward> digress*
[00:27] <teward> as long as I can make my internal network PKI trusted on everything that's all I care about (private PKI cert chain and stuff)
[00:32] <JanC> I wonder if you could implement using system certificates in Firefox with a "security device plugin"
[00:34] <JanC> including system CA certificates?