|
|
|
|
|
|
by floatingatoll
2196 days ago
|
|
|
This inspired me to look into my system's trusted roots. Here's the root CA expirations coming up in the next 18 months. The last one on this list really hits home, as anyone who did TLS back in the early 00's may remember. 2020-09-12 - DST Root CA X4 2021-03-17 - QuoVadis Root Certification Authority 2021-04-06 - Sonera Class X2 2021-09-30 - DST Root CA X3 2021-11-09 - Admin-Root-CA 2021-12-15 - Belgium Root CA2 2021-12-15 - GlobalSign |
|
|
For reference that is the Swiss government's root and it isn't trusted by Mozilla so as a consequence it's unlikely that any systems you have facing ordinary web browsers depend on this root to be trusted.
It's also funny to go back and look at Mozilla's trust decision (it's before I was engaged in looking at this on a day-to-day basis) and see that the terrible naming was decisive while the practice of just basically trusting a Swiss government employee to issue whatever they want was considered only "problematic" and not necessarily a showstopper.
Of course because Mozilla doesn't trust this root, it does not see itself as having any oversight role for the root. So if you use MacOS, or Windows, to do anything other than run Firefox, you're reliant on their teams to verify that this root is well run. Maybe they're doing a great job? I guess you'd only ever find out the hard way because they operate entirely behind closed doors.