This update supports a new PKCS#11 attribute CKA_NSS_MOZILLA_CA_POLICY. The attribute has been defined by NSS version 3.30. The attribute is expected to be set to true for CA certificates that have been added as part of the Mozilla CA Policy process.
The enhancement is required for compatibility with the future Firefox 54 release, which will query this attribute when accessing root CA certificates from the loaded CA trust module. On Fedora, Firefox is configured to access the p11-kit-trust module, instead of the NSS CA trust module nssckbi. This change to the ca-certificates package will make the attribute available to p11-kit-trust and Firefox.
Support for this new attribute requires p11-kit-trust version and build 0.23.2-3, which contains the relevant backported functionality from upstream version 0.23.5.
To enable the addition of this attribute, the ca-certificates package has been changed to use p11-kit-trust's flexible p11-kit-object-v1 file format for the internal packaging of the CA certificates list.
The update-ca-trust command has been changed to add comments to extracted PEM format files.
The changes in this package version shouldn't affect any existing functionality or trust.
sudo dnf upgrade --advisory=FEDORA-2017-3753e75f72
|submitted||2 years ago|
|in testing||2 years ago|
|in stable||2 years ago|
|0||0||#1418739 ca-certificates must set the nss-mozilla-ca-policy pkcs#11 attribute for Mozilla CAs|
|0||0||#1418741 Change the CA + trust input format given from ca-certificates to p11-kit-trust|