I checked with our team, and we think it would be a mistake for Mozilla to remove the trust bits for either code signing or email certs.
The Mozilla NSS root store is used by some well-known applications as discussed, but also by many unknown applications. If the trust bits are removed, CAs who issue code signing or email certs may find multiple environments dependent on the NSS root store where the CA's products will no longer work - and we don't have a list of those environments today. In the future, there may be even greater use of and need for the trust bits for these certs than there is today (as the use of code signing and email certs, and maybe related future products, may increase) - but once the trust bits are gone from the NSS root store, they are gone forever. Mozilla does a sensible public review of a CA's practices for code signing and email certs before turning on the trust bits - and if Mozilla's review isn't sufficient, whose is? Plus, 90%+ of the important issues for security for these trust bits (concerning CA infrastructure security, etc.) are covered for the CA already for SSL and audited by WebTrust and ETSI, so the remaining issues for the code signing and email trust bits really can be limited to the CA's authentication and issuance practices. Even without clear industry authentication standards such as exist for SSL in the Baseline Requirements, who can conduct this review better than Mozilla? (Answer: no one, and no one else will bother to do the review.). Without Mozilla trust bits, the trustworthiness of these types of certs will likely go down. Finally, if the trust bits are turned off, I'm concerned that some applications that use code signing and email certs will just go static on their trusted roots - they will freeze their trusted root stores as of 2015 when Mozilla turns off the trust bits, and never bother to update (as they have no place to go for an update). Over time, their roots stores may include CAs whose roots have been limited or revoked, but the applications may not think it's useful to update their own root stores because Mozilla is no longer maintaining the trust bits they care about. New CAs could be frozen out of these applications. If the work it too much for Mozilla to continue - consider a less-good approach which says that if a root is trusted in the NSS root store for SSL (has current audits, etc.), its trust bits for code signing and email will automatically be turned on, and will only be turned off (removed) if the CA is found to have done something bad with its code signing and/or email certs. Trusted by default, but can lose the trust bits by bad actions. <table class="TM_EMAIL_NOTICE"><tr><td><pre> TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. </pre></td></tr></table> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
