because Linux/embedded 'trust store' is just a single or a bunch of PEM files and unable to attach additional conditions, they doesn't/can't use Mozilla's trust store fully: for example if a root was distrusted notbefore date after 2024-01-01 because ca-certificates doesn't have that information this root will be fully trusted until 398 days later and when Mozilla stop publishing about that certificate and removed from list.
Yeah the situation on Linux needs improving. I am hoping that we can get some interest in the Linux foundation to consider formalizing the story of root stores on Linux based distros.
The alternative is that each distro needs to figure out what they are going to use.
This might be something where we can see some client-side RFCs try to standardize a level of client side behavior/controls/etc.
I think once we get the Sunlight CT logs (https://sunlight.dev/), we should start to consider standardizing certain TLS library behaviors.
We effectively need robust protocols for both upstream suppliers of root stores, the consumers of those root stores, and then downstream applications to be able to speak to push certain behavior.
because Linux/embedded 'trust store' is just a single or a bunch of PEM files and unable to attach additional conditions, they doesn't/can't use Mozilla's trust store fully: for example if a root was distrusted notbefore date after 2024-01-01 because ca-certificates doesn't have that information this root will be fully trusted until 398 days later and when Mozilla stop publishing about that certificate and removed from list.
Yeah the situation on Linux needs improving. I am hoping that we can get some interest in the Linux foundation to consider formalizing the story of root stores on Linux based distros.
The alternative is that each distro needs to figure out what they are going to use.
I think real problem is most of TLS libs not provide such format so distros have no incentive to providing it: openssl can't use it anyway.
This might be something where we can see some client-side RFCs try to standardize a level of client side behavior/controls/etc.
I think once we get the Sunlight CT logs (https://sunlight.dev/), we should start to consider standardizing certain TLS library behaviors.
We effectively need robust protocols for both upstream suppliers of root stores, the consumers of those root stores, and then downstream applications to be able to speak to push certain behavior.