Hi Kathleen, This summary looks pretty good. I think you could add the point raised by Man Ho which essentially asks the question of who should/can/will evaluate the trustworthiness of root certs. There are pros and cons either way on that one.
One last comment I'll make is that, among other things, I've been approaching this from the standpoint of Mozilla's commitment to openness, open-souce, and security. Perhaps that's a bit rosy but I'll offer it up for whatever it may be worth. Thanks. Original Message From: Kathleen Wilson Sent: Thursday, September 17, 2015 6:26 PM To: [email protected] Subject: Re: Policy Update Proposal: Remove Code Signing Trust Bit Thanks to all of you for your thoughtful and constructive input in this discussion. Here is a summary of this discussion so far. Proposal: Remove references to code signing from Mozilla's CA Certificate Policy, then turn off all Code Signing trust bits for root certificates included in the NSS root store. This essentially means that Mozilla will stop saying that root certificates in the NSS root store can be trusted for code signing. Arguments against this proposal: - Code signing is very important in the embedded space - Removing the code signing trust bit sends a message that Mozilla does not want to (and will not) participate in this space - The loss of Mozilla’s support could be a setback to the embedded space; i.e. innovation in embedded software could suffer. - We should not presume that the embedded space is any more amenable to a one-size-fits-all solution any more than the SSL space is. Arguments for this proposal: - The only situation in which this change will impact an embedded vendor is if they allow anyone with a public (i.e. chaining to a root cert in NSS) code-signing certificate to run code on their device. - A public (i.e. chaining to a root cert in NSS) code-signing cert is basically a cert that identifies an individual or organization. This alone is insufficient for a manufacturer to decide to embed another vendor's software in their products. - If a manufacturer has a direct relationship with the vendors of the software they embed, then they can directly trust code-signing certificates provided by the vendor, and not rely on the certificates chaining up to a root cert in the NSS root store. - The manufacturer should maintain their own trust list, and not shift the responsibility to Mozilla purely because they used the NSS root store in their system. - Mozilla already requires that all plugins be signed by Mozilla, so Mozilla is not depending on the NSS root store for code-signing purposes. - Mozilla currently does not have robust policies around verifying the acceptability of root certificates for the purposes of code signing. - Building a properly run code signing certificate program would be a ton of work that Mozilla has never done, and is not prepared to do. - If the decision makers are not well versed in the use cases behind code signing, then they should not be making decisions regarding root inclusion/exclusion for code signing. Other: - If the decision were made to proceed with the removal of the code signing trust bit, Mozilla would need to broadly publicize the change, as there may be smaller consumers of these capabilities who will need to explore other solutions. Please let me know if I missed anything or misrepresented any of your input. Is there any other input/feedback we should consider? Thanks, Kathleen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
