> where Ubuntu just unilaterally reverted Mozilla’s removal of a cert in their package, because it was breaking nuget… Note that this was early 2021 — Mozilla removed Symantec from their trust store in October 2018!
Debian and Ubuntu had jumped the gun by a few weeks and there were certificates still being used that had not been renewed yet, so we had to revert temporarily.
Mozilla had used the CKA_NSS_SERVER_DISTRUST_AFTER tag with a date to specify newer certs issued by that CA were not valid, but as the article above states, the crypto libraries being used in Linux don't support that kind of thing.
Mozilla actually removed the certs from their trust store in February 2021: https://hg.mozilla.org/projects/nss/rev/9718a34c84429b1e5dc6...
Debian and Ubuntu had jumped the gun by a few weeks and there were certificates still being used that had not been renewed yet, so we had to revert temporarily.
Mozilla had used the CKA_NSS_SERVER_DISTRUST_AFTER tag with a date to specify newer certs issued by that CA were not valid, but as the article above states, the crypto libraries being used in Linux don't support that kind of thing.