| Hi Kirk-- Would it be possible to provide some specific examples of the applications you have in mind? Or maybe some use cases that would be relevant here (in the context of code signing)? My contention has been a significant need exists for code signing and that it matters to everyone. Unfortunately the discussion has been long on opinion (including my own) and short on good examples. I think there is general agreement that the current Mozilla practices need improvement so the question becomes does Mozilla want to take on that work or just bow out altogether. I would hasten to add that just because a security feature/solution has shortcomings does not necessarily mean it's better to do nothing to avoid any "false sense of security". Such thinking can be problematic--citation provided: https://news.ycombinator.com/item?id=6166731 One final comment: in terms of the embedded space, without publicly vetted roots I think it's safe to say that most products will include whatever root is necessary just to make the product work and that security concerns might not play much of a role, if any, in the decision making. I don't think that's such a great outcome. Again, an opinion but one based on first-hand experience.
I checked with our team, and we think it would be a mistake for Mozilla to remove the trust bits for either code signing or email certs. The Mozilla NSS root store is used by some well-known applications as discussed, but also by many unknown applications. If the trust bits are removed, CAs who issue code signing or email certs may find multiple environments dependent on the NSS root store where the CA's products will no longer work - and we don't have a list of those environments today. In the future, there may be even greater use of and need for the trust bits for these certs than there is today (as the use of code signing and email certs, and maybe related future products, may increase) - but once the trust bits are gone from the NSS root store, they are gone forever. ...snip... | ||
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
