On 20/10/14 03:10, Gregory Szorc wrote: > Is there a good reason Mozilla can't host copies of the trusted CA > bundle in popular formats so people can obtain a copy directly from > Mozilla? And while we're at it, can we add some PGP signatures for > additional verification?
One issue is, perhaps, that Mozilla doesn't perhaps have an official stance on reuse of this data. Mozilla is the /de facto/ maintainer of the only "open process" root program. That is to say, if you want a curated root store with good web compatibility and you don't want to do your own due diligence, you can choose Microsoft's, Apple's or Mozilla's. (Google uses whatever the platform store is, with some tweaks.) Of those three, we are the only ones who run an open and transparent process. Which makes ours popular. [The fact that we maintain this is sort of tied to the fact that we also make NSS, and our root store is the default one in NSS (and so in most things NSS gets into), but that's not a required link. If NSS had never existed, we could still be doing this.] All this means that people take our root store and embed it in things. And we certainly don't try and stop them. Good luck to 'em, I say. And when we make decisions about our program, we do sometimes think about other consumers of our list. For example, we maintain a "code-signing?" bit for each trusted root even though Mozilla software has, in recent history, done little or nothing with code signing. (Although that may change.) But there's perhaps a difference between "we don't try and stop you", and "we encourage you". Saying "here it is in a useful format - download it" would definitely be the latter. Perhaps we just need to jump that gap and accept what is /de facto/ true. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
