On Mon, Feb 23, 2015 at 02:14:13PM -0800, Clint Wilson wrote:
> Lots of Enterprises and organizations have very legitimate requirements to
> add their own internal root CA to the NSS store.
I suspect John's point is that lots of enterprises and organisations (I
remember a time when those were the same thing...) have very legitimate
requirements to add their own internal add-ons to Firefox, and he is simply
calling out an apparent inconsistency in Mozilla's policies on these two
object types. (John, if I'm misrepresenting your position, please feel free
to correct me).
However, the two situations aren't the same, and thus can't be compared so
simplistically. Mozilla's signature on an add-on says, "we're reasonably
sure this add-on isn't going to do Bad Things to your browser", because they
can wave automated scanning tools over the code to look for dodgy stuff.
The closest thing I can think of for CA certificates would be if Mozilla
OK'd only technically-constrained CA certs -- say, only for domains and IP
ranges which the applicant was known to own. However, that is exactly the
sort of thing that existing trusted root CAs do. I suspect that existing
trusted root CAs would be unhappy if Mozilla took on this task. It would
also be a significant cost to Mozilla, because determining authority to
issue certs for an entire portion of the DNS space is a lot more manual
effort than running a code analysis tool over an add-on.
- Matt
--
"The user-friendly computer is a red herring. The user-friendliness of a
book just makes it easier to turn pages. There's nothing user-friendly about
learning to read."
-- Alan Kay
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
