On 1/28/2014 4:37 PM, Brian Smith wrote : > On Tue, Jan 28, 2014 at 4:25 PM, Kathleen Wilson <kwil...@mozilla.com> wrote: >> DigiCert has applied to include 5 new root certificates that will eventually >> replace the 3 DigiCert root certificates that were included in NSS via bug >> #364568. The request is to turn on all 3 trust bits and enable EV for all of >> the new root certs. >> >> 1) DigiCert Assured ID Root G2 -- This SHA-256 root will eventually replace >> the SHA-1 “DigiCert Assured ID Root CA” certificate. >> >> 2) DigiCert Assured ID Root G3 -- The ECC version of the Assured ID root. >> >> 3) DigiCert Global Root G2 -- This SHA-256 root will eventually replace the >> SHA-1 “DigiCert Global Root CA” certificate. >> >> 4) DigiCert Global Root G3 -- The ECC version of the Global root. >> >> 5) DigiCert Trusted Root G4 -- This SHA-384 root will eventually replace the >> SHA-1 “DigiCert High Assurance EV Root CA” certificate. > > I object, only on the grounds that there is no technical need to have > more than one root. I have a counter-proposal: > > 1. Add DigiCert Trusted Root G4 with all three trust bits set. > 2. Ask DigiCert to issue versions of their intermediates that are > signed/issued by "DigiCert Trusted Root G4". > 3. Remove the existing DigiCert roots. > 4. Preload all the intermediates signed by DigiCert Trusted Root G4 > (with no trust bits, so they inherit trust from DigiCert Trusted Root > G4) into NSS. > > Benefits of my counter-proposal: > 1. Fewer roots for us to manage. > 2. Sites that forget to include their intermediates in their TLS cert > chain are more likely to work in Firefox, without us having to do AIA > caIssuers, because of us preloading the intermediates. > 3. Because of #1, there is potential for us to design a simpler root > certificate management UI. > 4. We can do optimizations with the preloading of intermediates to > avoid building the whole chain every time. (That is, we can > precalculate the trust of the intermediates.) > > This would set a good precedent for us to follow with all other CAs. > By working with all CAs to do something similar, we would end up with > one root per CA, and with a bunch of preloaded intermediates. Then we > can separate the view of intermediates from the view of roots in the > UI, and the UI will become much simpler. > > Cheers, > Brian >
I do not consider "Benefit #2" to be a benefit. This would mean that Mozilla is enabling poor security practices by allowing server administrators to be lazy and incompetent -- allowing them to tell users their browsing session is secure while the server is incompletely configured. -- David E. Ross <http://www.rossde.com/> On occasion, I filter and ignore all newsgroup messages posted through GoogleGroups via Google's G2/1.0 user agent because of spam, flames, and trolling from that source. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy