On 18/10/2016 01:22, Kurt Roeckx wrote:
On Tue, Oct 18, 2016 at 12:39:42AM +0200, Kurt Roeckx wrote:
On Tue, Oct 18, 2016 at 12:22:21AM +0200, Jakob Bohm wrote:
Over the past few years, this has caused the Mozilla root list to
become less and less useful for the rest of the open source world, a
fact which at least some of the Mozilla-root-list-copying open source
projects seem not to be aware of yet.
I think the problems for the open source community are:
1) There is no good way to deal with revocation checking, it
doesn't have anything that deals with something like OneCRL
2) Mozilla doesn't care about non-https.
I wanted to add that none of this is relevant to what Ryan was
saying. Maybe the root list itself is becomming less useful, but
that doesn't mean the discussion list is.
Also, the problems for the open source community aren't new it's
just that some of Mozilla's solutions either don't work for them,
they don't know about them, or they don't use it. (It's probably a
In the not so distant past, the Mozilla root program was much more
useful due to different behavior:
1. Mozilla managed the root program based on an assumption that relying
parties would use the common standard revocation checking methods
*only* (regular CRLs as present since Netscape created SSL and OCSP).
2. Mozilla managed trust bits and inclusion policies for https,
non-https TLS (e.g. imaps, pops and smtps), e-mail S/MIME, and
generic object/code signing. Again, this was true since the days
when this was the Netscape Navigator trust list.
Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded
dev-security-policy mailing list