On Tue, Sep 8, 2015 at 3:22 PM, Ryan Sleevi <[email protected] > wrote:
> On Tue, September 8, 2015 11:04 am, Kurt Roeckx wrote: > > As already pointed out, this is probably at least used by java on > > most Linux distributions. > > When you say "Java", it would be helpful to clarify. > > Oracle/Sun operate their own root store for Java, so this presumably would > be non-Oracle/Sun Java platforms, correct? > > And considering that NSS-as-a-first-class-library is not widely used on > most Linux distributions outside of the Red Hat-derived family, it's > likely that they're using an /etc/ca-certificates (or akin) populated from > the Mozilla Root program, but without respecting either the trust bits > (beyond distrust) or of the application behaviours (e.g. EKU chaining). > > If this is correct (and unless things have significantly improved, I > believe so), it would moreso reaffirm how removing these two trust > programs from the Mozilla store could lead to _more_ security (in the Web > case), even if it might affect other use cases (e.g. S/MIME applications, > non-Oracle Java runtimes) > > Such a Java distribution could, for example, choose to inherit/implement > Oracle's root store, on the basis of matching 1:1 compatibility with > Oracle's implementation. That might be better for users - and security - > for that case. > I don't know anything about Java, but ... I have confirmed that gecko has no dependency on the code signing bits. Verification of addons and Firefox OS apps is done using specific roots that are managed outside of the NSS certificate database. So unless someone can produce a concrete example of a software system that is using the NSS code signing trust bits, I would be inclined to remove support for those bits, starting by removing roots that only have the code signing bit set. --Richard > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
