On 12/05/17 09:18, Cory Benfield wrote: > I try not to decide whether there is interest in features like this: > if they’re easy I’d just implement them and let users decide if they > want it. That’s what I’d be inclined to do here. If Mozilla added > such a flag, I’d definitely be open to adding an extra certifi > bundle. Certifi currently already ships with two bundles (one > labelled “weak”, which includes 1024-bit roots to work around > problems with older OpenSSLs), so we could easily add a third called > “strong” or “pedantic” or “I hate CAs” or something that removes any > CA that is subject to graduated trust in Firefox.
If people actually care enough to make a root store choice, should we be encouraging them instead to use a store containing only the CA they care about for the connection they are making (and perhaps a backup)? In other words, is some sort of easy-to-use root store filtering/splitting tool a better solution to this issue? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy