Breaking this out into a separate discussion:
...should Mozilla continue to accept certificates without the "Websites" trust bit? Considering that there are not clear guidelines for how to process either code signing or email, and considering their relevance (or lack thereof) to Mozilla, it would seem wise to carefully consider both whether to accept new applications and what to do with existing applications. My own personal suggestion is to not accept new certificates, and to purge the existing ones.
I have always viewed my job as running the NSS root store, which has many consumers, including (but not limited to) Mozilla Firefox. So, to remove something like root certs that only have the email trust bit enabled requires input from the consumers of NSS. It should not be removed just because Firefox doesn't use it.
Is the mozilla.dev.security.policy forum the correct place to have this discussion about the NSS root store only including root certs with the Websites trust bit enabled?
Or should I start the discussion in another forum, such as mozilla.dev.tech.crypto?
Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
