On 7/28/14, 11:00 AM, Brian Smith wrote:
I suggest that, instead of including the cross-signing certificates in
the NSS certificate database, the mozilla::pkix code should be changed
to look up those certificates when attempting to find them through NSS
fails. That way, Firefox and other products that use NSS will have a
lot more flexibility in how they handle the compatibility logic.
There's already a bug for fetching missing intermediates:
https://bugzilla.mozilla.org/show_bug.cgi?id=399324
I think it would help with removal of roots (the remaining 1024-bit
roots, non-BR-complaint roots, SHA1 roots, retired roots, etc.), and IE
has been supporting this capability for a long time.
So, Should we do this?
Does it introduce security concerns?
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
