Kathleen Wilson <[email protected]> wrote: > * It is better to spend energy improving TLS-related work than >> > S/MIME-related stuff. The S/MIME stuff distracts too much from the TLS >> work. >> >> > Please further explain whose energy this is referring too, and who is > getting distracted too much from the TLS work.
Eveybody that reads or writes email in this mailing list, for one. Anybody who has to write text for Mozilla's CA policy and/or propose changes for another. > * We can simplify the policy and tighten up the policy language more if the >> policy only has to deal with TLS certificates. >> > > Another approach would be to separate the policy language that is specific > to the "Email trust bit" certs. That also seems reasonable. If the email policy were completely separate then people could ignore it. > * Mozilla's S/MIME processing isn't well supported. >> > > Mozilla is not the only consumer of the NSS root store. Yes. But, I don't think that an organization that does not have a strong interest in how the email trust bit affects its products is a good choice to run a program for email CA trust, despite the good intentions and hard work of the people within that organization to try to do something good. > Large parts of it are >> out of date and the people who maintain the certificate validation logic >> aren't required to keeping S/MIME stuff working. In particular, it is OK >> according to current development policies for us to change Gecko's >> certificate validation logic so that it works for SSL but doesn't >> (completely) work for S/MIME. So, basically, Mozilla doesn't implement >> software that can properly use S/MIME certificates, as far as we know. >> > > Is this true? Can some at Mozilla confirm or deny this statement about > current development policies? You can see an example of this policy at work at https://bugzilla.mozilla.org/show_bug.cgi?id=1114787. Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
