crypto/x509: remove IsCA exception for broken Entrust root
The exception allowed a specific intermediate [1] to chain up to a broken root that lacked the CA:TRUE X509v3 Basic Constraint. The broken root [2] is expiring at the end of 2019, so we can remove the exception in Go 1.14. Moreover, there is a reissued version of that root [3] (same Subject and SPKI, valid CA) which expires in 2029, so root stores should have migrated to it already, making the exception unnecessary. [1]: https://crt.sh/?caid=57 [2]: https://crt.sh/?id=1616049 [3]: https://crt.sh/?id=55 Change-Id: I43f51100982791b0e8bac90d143b60851cd46dfc Reviewed-on: https://go-review.googlesource.com/c/go/+/193038 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Showing
Please register or sign in to comment