On Wed, Sep 30, 2015 at 3:11 PM, [email protected] < [email protected]> wrote:
> The Mozilla NSS root store is used by some well-known applications as > discussed, but also by many unknown applications. If the trust bits are > removed, CAs who issue code signing or email certs may find multiple > environments dependent on the NSS root store where the CA's products will > no longer work - and we don't have a list of those environments today. > That's OK. > Mozilla does a sensible public review of a CA's practices for code signing > and email certs before turning on the trust bits - and if Mozilla's review > isn't sufficient, whose is? Perhaps nobody's is, and the whole idea of using publicly-trusted CAs for code signing and email certs is flawed and so nobody should do this. > Who can conduct this review better than Mozilla? (Answer: no one, and no > one else will bother to do the review.). If nobody will do it then that means nobody thinks it is important enough to invest in. Why should Mozilla bother doing it if nobody cares enough to invest in it? > Without Mozilla trust bits, the trustworthiness of these types of certs > will likely go down. > Isn't that a good thing? If the issuing policies have been insufficiently reviewed, then that means Mozilla's current endorsement of these CAs is misleading people into trusting these certs more than they should be. Dropping these trust bits would be a clear sign that trust in these certs should be re-evaluated, which is a good thing. > Finally, if the trust bits are turned off, I'm concerned that some > applications that use code signing and email certs will just go static on > their trusted roots A vendor that does that is a bad vendor with bad judgement and you should probably not trust any of their products. > Trusted by default, but can lose the trust bits by bad actions. > I wish you would have led with these completely ridiculous suggestion instead of the only-slightly-less ridiculous stuff that preceded it. Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
