Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://follow.agwa.name/objects/4742601f-7120-4718-8db8-3b3c72f65e8a">Andrew Ayer (agwa@follow.agwa.name)'s status on Tuesday, 12-Nov-2024 14:33:13 JST</a><a href="https://follow.agwa.name/users/agwa" title="agwa@follow.agwa.name"><img src="https://gnusocial.jp/avatar/140092-48-20230626194014.webp" width="48" height="48" alt="Andrew Ayer" style="position: absolute; left: 0; top: 0;">Andrew Ayer</a><div><a href="https://follow.agwa.name/objects/36c5a376-ef64-49dd-a41c-36e0be7119d4" rel="in-reply-to">in reply to</a><ul><li></ul></div></section><article><p>As I expected, many clients will accept Entrust certificates issued after Nov 30. But to my surprise, several providers of PEM root bundles, notably <a href="https://mkcert.org/">Certifi/mkcert</a> and <a href="https://curl.se/docs/caextract.html">curl</a>, will begin automatically omitting Entrust roots after Nov 30 - meaning previously-issued Entrust certs will stop working! This is a complete misinterpretation of Mozilla's Distrust After attribute, and will cause unexpected breakage. I have opened bugs, but I expect other consumers have also misinterpreted Distrust After, so it would be prudent to replace existing Entrust certs.</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3983806#notice-7783079">In conversation</a><time datetime="2024-11-12T14:33:13+09:00" title="Tuesday, 12-Nov-2024 14:33:13 JST">about 3 months ago</time> <span>from <span><a href="https://follow.agwa.name/objects/4742601f-7120-4718-8db8-3b3c72f65e8a" rel="external" title="Sent from follow.agwa.name via ActivityPub">follow.agwa.name</a></span></span><a href="https://follow.agwa.name/objects/4742601f-7120-4718-8db8-3b3c72f65e8a">permalink</a></footer></blockquote>

Corresponding Notice

Embed this notice
Andrew Ayer (agwa@follow.agwa.name)'s status on Tuesday, 12-Nov-2024 14:33:13 JSTAndrew Ayer
in reply to
- Andrew Ayer
As I expected, many clients will accept Entrust certificates issued after Nov 30. But to my surprise, several providers of PEM root bundles, notably Certifi/mkcert and curl, will begin automatically omitting Entrust roots after Nov 30 - meaning previously-issued Entrust certs will stop working! This is a complete misinterpretation of Mozilla's Distrust After attribute, and will cause unexpected breakage. I have opened bugs, but I expect other consumers have also misinterpreted Distrust After, so it would be prudent to replace existing Entrust certs.
In conversationabout 3 months ago from follow.agwa.namepermalink

Public

Embed Notice

HTML Code

Corresponding Notice