Thanks to all of you for your thoughtful and constructive input in this
discussion.
Here is a summary of this discussion so far.
Proposal: Remove references to code signing from Mozilla's CA
Certificate Policy, then turn off all Code Signing trust bits for root
certificates included in the NSS root store. This essentially means that
Mozilla will stop saying that root certificates in the NSS root store
can be trusted for code signing.
Arguments against this proposal:
- Code signing is very important in the embedded space
- Removing the code signing trust bit sends a message that Mozilla does
not want to (and will not) participate in this space
- The loss of Mozilla’s support could be a setback to the embedded
space; i.e. innovation in embedded software could suffer.
- We should not presume that the embedded space is any more amenable to
a one-size-fits-all solution any more than the SSL space is.
Arguments for this proposal:
- The only situation in which this change will impact an embedded vendor
is if they allow anyone with a public (i.e. chaining to a root cert in
NSS) code-signing certificate to run code on their device.
- A public (i.e. chaining to a root cert in NSS) code-signing cert is
basically a cert that identifies an individual or organization. This
alone is insufficient for a manufacturer to decide to embed another
vendor's software in their products.
- If a manufacturer has a direct relationship with the vendors of the
software they embed, then they can directly trust code-signing
certificates provided by the vendor, and not rely on the certificates
chaining up to a root cert in the NSS root store.
- The manufacturer should maintain their own trust list, and not shift
the responsibility to Mozilla purely because they used the NSS root
store in their system.
- Mozilla already requires that all plugins be signed by Mozilla, so
Mozilla is not depending on the NSS root store for code-signing purposes.
- Mozilla currently does not have robust policies around verifying the
acceptability of root certificates for the purposes of code signing.
- Building a properly run code signing certificate program would be a
ton of work that Mozilla has never done, and is not prepared to do.
- If the decision makers are not well versed in the use cases behind
code signing, then they should not be making decisions regarding root
inclusion/exclusion for code signing.
Other:
- If the decision were made to proceed with the removal of the code
signing trust bit, Mozilla would need to broadly publicize the change,
as there may be smaller consumers of these capabilities who will need to
explore other solutions.
Please let me know if I missed anything or misrepresented any of your
input.
Is there any other input/feedback we should consider?
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
