Linux Certificate Authority root stores have a too simple view of ‘trust’

December 1, 2022

Let’s start with the background. Pretty much every Linux system
(really, every Unix system) has a ‘system CA root store’, by which
we mean ‘the list of all CA root certificates that are trusted by
default by most TLS-using software’. For various sensible reasons,
many Linux distributions reuse Mozilla’s CA root store for their
system root store, possibly with some tweaks.

The recent TLS news is that Mozilla (and Microsoft) are distrusting
the TrustCor CA certificates (see this entry for more on TrustCor). Over on the Fediverse,
Filippo Valsorda reported the news and said:

Mozilla is distrusting TrustCor.

Certificates issued from December 1st onward won’t be trusted, roots
will be removed once current certificates expire.

Note that this probably means systems like Linux distros that just
consider the Mozilla root store a bag of certificates will fully trust
TrustCor for at least another year, likely longer due to release lag.

You might reasonably be confused about why Linux systems would trust
TrustCor certificates for so long. The lesser reason is delays in
updating their packaged copies of the Mozi