On Mon, Aug 4, 2014 at 3:52 PM, Kathleen Wilson <kwil...@mozilla.com> wrote: > It turns out that including the 2048-bit version of the cross-signed > intermediate certificate does not help NSS at all. It would only help > Firefox, and would cause confusion.
That isn't true, AFAICT. > It works for Firefox, because mozilla::pkix keeps trying until it finds a > certificate path that works. NSS's libpkix also keeps trying until if finds a certificate path that works. libpkix is used by Chromium and by Oracle's products (IIUC). > Therefore, it looks like including the 2048-bit intermediate cert directly > in NSS would cause different behavior depending on where the root store is > being used. This would lead to confusion. IMO, it isn't reasonable to make decisions like this based on the behavior of the "classic" NSS path building. Really, the classic NSS path building logic is obsolete, and anybody still using it is going to have lots of compatibility problems due to this change and other things, some of which are out of our control. Cheers, Brian _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
