On Tue, September 8, 2015 11:04 am, Kurt Roeckx wrote: > As already pointed out, this is probably at least used by java on > most Linux distributions.
When you say "Java", it would be helpful to clarify. Oracle/Sun operate their own root store for Java, so this presumably would be non-Oracle/Sun Java platforms, correct? And considering that NSS-as-a-first-class-library is not widely used on most Linux distributions outside of the Red Hat-derived family, it's likely that they're using an /etc/ca-certificates (or akin) populated from the Mozilla Root program, but without respecting either the trust bits (beyond distrust) or of the application behaviours (e.g. EKU chaining). If this is correct (and unless things have significantly improved, I believe so), it would moreso reaffirm how removing these two trust programs from the Mozilla store could lead to _more_ security (in the Web case), even if it might affect other use cases (e.g. S/MIME applications, non-Oracle Java runtimes) Such a Java distribution could, for example, choose to inherit/implement Oracle's root store, on the basis of matching 1:1 compatibility with Oracle's implementation. That might be better for users - and security - for that case. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy