On Thursday, May 11, 2017 at 3:21:41 PM UTC+1, Cory Benfield wrote: > While I’m very supportive of this kind of remediation, it is not a > remediation that non-browser implementations can follow very easily. For > example, I run a downstream non-browser HTTP client[1] that by default uses a > processed version of the Mozilla CA database[2] to define its list of trusted > roots. This is very convenient, as it allows me to delegate the job of > running a CA program to Mozilla and MDSP, a collection of people much better > equipped to handle the job. This is a common approach throughout the open > source ecosystem: for example, curl also makes available a processed version > of the Mozilla trust database.
I find it's useful to actually provide the footnotes you say you will: [1]: http://docs.python-requests.org/en/master/ [2]: https://github.com/certifi/python-certifi _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
