Commit 14521198 authored by Filippo Valsorda's avatar Filippo Valsorda
Browse files

crypto/x509: remove IsCA exception for broken Entrust root

The exception allowed a specific intermediate [1] to chain up to a
broken root that lacked the CA:TRUE X509v3 Basic Constraint.

The broken root [2] is expiring at the end of 2019, so we can remove the
exception in Go 1.14.

Moreover, there is a reissued version of that root [3] (same Subject and
SPKI, valid CA) which expires in 2029, so root stores should have
migrated to it already, making the exception unnecessary.

[1]: https://crt.sh/?caid=57
[2]: https://crt.sh/?id=1616049
[3]: https://crt.sh/?id=55

Change-Id: I43f51100982791b0e8bac90d143b60851cd46dfc
Reviewed-on: https://go-review.googlesource.com/c/go/+/193038


Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: default avatarBrad Fitzpatrick <bradfitz@golang.org>
parent 36f30ba2
Loading
Loading
Loading
Loading
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please to comment