My technical team was only able to identify Linux as using the NSS root store, but everyone assumes that other applications also rely on it as a trusted resource.
As to whether or not to remove the trust bits for code signing and email, I guess I would ask: Why did Mozilla include/create the trust bits in the first place? Was it only to support Mozilla applications like Thunderbird? Or was it to serve as a public resource, beyond Mozilla applications? If the former, and if Mozilla no longer has any code signing or email certificate dependent applications, then I suppose you can drop the trust bits. If it was the latter, then I would say the same reasons apply today – you are doing something to help the security of the internet, and maybe you should continue even if you have no immediate plan to use or recognize the trust bits in any ongoing Mozilla applications. If you drop the trust bits, it will be very hard to start them up again in the future, and probably more time consuming to recreate the trust bits and requalify roots than if you just keep the trust bits for now. Also, I would argue that keeping the trust bits helps make Mozilla at the forefront of the industry and more relevant to the internet community compared to other browsers than if you drop them – something that may be important. I don’t think it’s realistic to expect every application that is dependent on code signing and/or email certs to maintain its own individual trusted root store. Perhaps they will default to the Windows root store instead of the Mozilla NSS root store – is that good for Mozilla’s future? So ultimately this question is part technical and part a business decision for Mozilla, and only Mozilla can decide what direction it wants to go. From: Peter Kurrasch [mailto:[email protected]] Sent: Friday, October 02, 2015 9:54 PM To: Kirk Hall (RD-US); [email protected] Subject: Re: Policy Update Proposal: Remove Code Signing Trust Bit Hi Kirk-- Would it be possible to provide some specific examples of the applications you have in mind? Or maybe some use cases that would be relevant here (in the context of code signing)? My contention has been a significant need exists for code signing and that it matters to everyone. Unfortunately the discussion has been long on opinion (including my own) and short on good examples. I think there is general agreement that the current Mozilla practices need improvement so the question becomes does Mozilla want to take on that work or just bow out altogether. I would hasten to add that just because a security feature/solution has shortcomings does not necessarily mean it's better to do nothing to avoid any "false sense of security". Such thinking can be problematic--citation provided: https://news.ycombinator.com/item?id=6166731 One final comment: in terms of the embedded space, without publicly vetted roots I think it's safe to say that most products will include whatever root is necessary just to make the product work and that security concerns might not play much of a role, if any, in the decision making. I don't think that's such a great outcome. Again, an opinion but one based on first-hand experience. From: [email protected]<mailto:[email protected]> Sent: Wednesday, September 30, 2015 8:11 PM I checked with our team, and we think it would be a mistake for Mozilla to remove the trust bits for either code signing or email certs. The Mozilla NSS root store is used by some well-known applications as discussed, but also by many unknown applications. If the trust bits are removed, CAs who issue code signing or email certs may find multiple environments dependent on the NSS root store where the CA's products will no longer work - and we don't have a list of those environments today. In the future, there may be even greater use of and need for the trust bits for these certs than there is today (as the use of code signing and email certs, and maybe related future products, may increase) - but once the trust bits are gone from the NSS root store, they are gone forever. ...snip... <table class="TM_EMAIL_NOTICE"><tr><td><pre> TREND MICRO EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. </pre></td></tr></table> _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
