On Tue, Oct 18, 2016 at 5:51 AM, Gervase Markham <g...@mozilla.org> wrote:
> On 17/10/16 16:26, Kathleen Wilson wrote:
>> ones who use NSS validation. I’m not sure what we can do about other
>> consumers of the NSS root store, other than publish what we are doing
>> and hope those folks read the news and update their version of their
>> root store as they see appropriate for their use.
>
> We cannot fix everyone else's code, but I think it would be reasonable
> for us to produce and maintain a wiki page which complements
> certdata.txt which gives all the other restrictions Mozilla recommends
> on the roots therein.

I think making it clear which entries in certdata.txt have additional
constraints would be very helpful.  Is it maybe possible to do so by
adding new attributes to the NSS_TRUST object instead of simply
putting it on a webpage?  That way it is in the same place and is
machine readable.  Even if the attribute are not processed when
creating libckfw, others can use them.

Thanks,
Peter
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to