On Tue, Oct 18, 2016 at 5:51 AM, Gervase Markham <g...@mozilla.org> wrote:
> On 17/10/16 16:26, Kathleen Wilson wrote:
>> ones who use NSS validation. I’m not sure what we can do about other
>> consumers of the NSS root store, other than publish what we are doing
>> and hope those folks read the news and update their version of their
>> root store as they see appropriate for their use.
> We cannot fix everyone else's code, but I think it would be reasonable
> for us to produce and maintain a wiki page which complements
> certdata.txt which gives all the other restrictions Mozilla recommends
> on the roots therein.
I think making it clear which entries in certdata.txt have additional
constraints would be very helpful. Is it maybe possible to do so by
adding new attributes to the NSS_TRUST object instead of simply
putting it on a webpage? That way it is in the same place and is
machine readable. Even if the attribute are not processed when
creating libckfw, others can use them.
dev-security-policy mailing list