On Wednesday, 17 August 2016 04:24:27 UTC+1, Ryan Sleevi wrote: > That options pretty much a non-starter for reasons best not speculated about, > but I'm curious: Why or how would that improve the security of Mozilla users? > And if it doesn't meaningfully improve their security, how would it at least > further the Mozilla principle of individuals' security and privacy?
I offered it only as one more option, without intending to suggest that I prefer it at all or any cost. The core purpose of this option is to improve security for the _entire_ Web PKI. Mozilla's users are threatened by attacks on the Web PKI even if those attacks don't work on Firefox itself. Most of its users rely on an OS made by the other trust store operators, and in which almost all TLS-capable components use that store, not NSS for trust decisions. So it is an error to think these users are only "at risk" if Mozilla doesn't act to protect them, the risk persists unless all the major trust stores act. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
