On Tuesday 08 September 2015 11:08:50 Peter Bowen wrote: > On Tue, Sep 8, 2015 at 11:04 AM, Kurt Roeckx <[email protected]> wrote: > > On Tue, Sep 08, 2015 at 10:58:39AM -0700, Kathleen Wilson wrote: > >> 28. Remove Code Signing trust bits. As of Firefox 38, add-ons are > >> signed using Mozilla's own roots. There doesn't appear to be > >> anyone else using the roots in the NSS root store for Code > >> Signing. -- currently under discussion in > >> mozilla.dev.security.policy. > > > > As already pointed out, this is probably at least used by java on > > most Linux distributions. > > Are you aware of any Java implementations that use the trust bits? > From what I've seen most Linux distributions create trust store > bundles by either ignoring the trust bits or only filtering out > explicit distrust.
Fedora 22 does not in fact, in /etc/pki/ca-trust/extracted/pem/ you have three files with the trust stores extracted: email-ca-bundle.pem objsign-ca-bundle.pem tls-ca-bundle.pem according to the bits present -- Regards, Hubert Kario Quality Engineer, QE BaseOS Security team Web: www.cz.redhat.com Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic
signature.asc
Description: This is a digitally signed message part.
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
