On Tue, Sep 08, 2015 at 12:22:27PM -0700, Ryan Sleevi wrote: > On Tue, September 8, 2015 11:04 am, Kurt Roeckx wrote: > > As already pointed out, this is probably at least used by java on > > most Linux distributions. > > When you say "Java", it would be helpful to clarify. > > Oracle/Sun operate their own root store for Java, so this presumably would > be non-Oracle/Sun Java platforms, correct?
It's probably all openjdk / icedtea now. I don't know if we patched it, but it's not using Oracle's root store that is used. > And considering that NSS-as-a-first-class-library is not widely used on > most Linux distributions outside of the Red Hat-derived family, it's > likely that they're using an /etc/ca-certificates (or akin) populated from > the Mozilla Root program, but without respecting either the trust bits > (beyond distrust) or of the application behaviours (e.g. EKU chaining). There are plans to keep the trust settings, but then I have no idea if java is going to use them or not. I guess we'll need to see. > If this is correct (and unless things have significantly improved, I > believe so), it would moreso reaffirm how removing these two trust > programs from the Mozilla store could lead to _more_ security (in the Web > case), even if it might affect other use cases (e.g. S/MIME applications, > non-Oracle Java runtimes) Please note that my only point is that there might be users. I'm not arguing to keep those roots. I hope that since the CAB now makes baseline rules for them it might become more useful to have the settings in the future. Kurt _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
