> As you know, the root store is a fixed component with the browser and the only way to change it is to update your browser.
That may be true for Firefox, but I don't think that's universally true. I believe some browsers look to the underlying OS trust store, which can be updated separately from the browser. -- Eric On Fri, Jul 3, 2015 at 3:47 PM, Peter Kurrasch <[email protected]> wrote: > Thanks for sharing this correspondence, Richard. I'm not sure the > committee fully appreciates the scope of the problem but it's good to see > them make an effort. I was actually surprised that the committee seems to > understand as much as they do so perhaps this will be just a first step in > a process. > > Regarding the specific questions asked and answered I would have liked to > see the idea of compatibility addressed in a more straightforward fashion. > (I'm assuming this is what the letter had in mind when talking about > stability?) > > As you know, the root store is a fixed component with the browser and the > only way to change it is to update your browser. Not everyone updates his > or her browser, for reasons good, bad, understandable, and so forth. This > situation creates certain challenges for website owners when an important > behavioral difference appears between versions. > > If the different browser versions also contain contradictory information > in terms of the trusted roots, the software which validates certs, and > compliance with government regulations, the potential exists for "good" > websites to become inaccessible. It certainly doesn't benefit anyone when > that happens. > > Obviously this stuff comes up all the time when we discuss the roots and > such, but the committee might not have considered it. The extent to which > the committee might like to implement regulations or make changes to them > over time, they should keep this in mind. I'm not sure it's a technical > limitation but it is a limitation nonetheless. > > Just some thoughts.... > > > Original Message > From: Richard Barnes > Sent: Tuesday, June 30, 2015 1:37 PM > To: [email protected] > Subject: Letter from US House of Representatives > > Dear dev.security.policy, > > I wanted to let you all know of some correspondence that happened recently > between Mozilla and the US Congress. > > On June 9, the House of Representatives Committee on Energy and Commerce > sent a letter [1] to Mozilla asking for our opinion on the "restricting CAs > run by governments to issuing certificates for their own properties within > their ccTLDs". > > Mozilla security and policy staff wrote a reply [2] to this letter, > highlighting the importance of our open process, and outlining some of the > arguments on both sides of the question that were raised in earlier threads > on this mailing list. Our reply was delivered June 23. > > Obviously, we can't change the letter now, but if you have any thoughts or > concerns about this interaction, please feel free to reply in this thread. > > --Richard > > [1] > > https://energycommerce.house.gov/sites/republicans.energycommerce.house.gov/files/114/Letters/20150609Mozilla.pdf > [2] > > http://blog.mozilla.org/netpolicy/files/2015/06/Mozilla-Response-to-Congressional-letter-on-CAs-signed.pdf > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > -- konklone.com | @konklone <https://twitter.com/konklone> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
