On 9/3/15 11:22 AM, Kathleen Wilson wrote:
After some discussion with folks on the NSS team, here's a proposal:
1) Add an item to the "To Be Discussed" section of
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
to update Mozilla's CA Cert Policy to clarify which audit criteria are
required depending on which trust bits are set. In particular, root
certs with only the S/MIME trust bit set will have different audit
criteria requirements than root certs with the Websites trust bit set.
2) Remove included root certs that only have the Code Signing trust bit
enabled. To our knowledge, no one is using such root certs via the NSS
root store.
Kathleen
Added to https://wiki.mozilla.org/CA:CertPolicyUpdates#To_Be_Discussed
~~
27. Clarify which audit criteria are required depending on which trust
bits are set. In particular, root certs with only the S/MIME trust bit
set will have different audit criteria requirements than root certs with
the Websites trust bit set.
28. Remove Code Signing trust bits. As of Firefox 38, add-ons are signed
using Mozilla's own roots. There doesn't appear to be anyone else using
the roots in the NSS root store for Code Signing. -- currently under
discussion in mozilla.dev.security.policy.
~~
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
