That's not an appropriate way to participate in a mailing list, please communicate civilly.
Alex On Tue, May 16, 2017 at 8:53 AM, Jakob Bohm via dev-security-policy < [email protected]> wrote: > On 11/05/2017 18:42, Ryan Sleevi wrote: > >> On Thu, May 11, 2017 at 11:57 AM, Alex Gaynor via dev-security-policy < >> [email protected]> wrote: >> >> Ryan, >>> >>> I think you've correctly highlighted that there's a problem -- the >>> Mozilla >>> CA store is "designed" to be consumed from NSS, and CA-specific >>> remediations are a part of that (hash algorithms, maximum certificate >>> lifetimes, and any number of other important technical controls). >>> >>> Unfortunately, we're currently in a position where near as I can tell, >>> most >>> code (except Go code :P) making HTTPS requests are using a >>> Mozilla-derived >>> CA store, and OpenSSL's verifier, which only provides a subset of the >>> technical controls browsers implement. This is unfortunate, particular >>> because these clients also do not check CT, so it's entirely possible to >>> serve them certs which are not publicly visible. In a large sense, >>> browsers >>> currently act as canaries-in-the-coalmine, protecting non-browser >>> clients. >>> >>> Like Cory, I help maintain non-browser TLS clients. To that end, I think >>> it'd be outstanding if as a community we could find a way to get more of >>> these technical controls into non-browser clients -- some of this is just >>> things we need to do (e.g. add hash algorithm and lifetime checking to >>> OpenSSL or all consumers of it), >>> >> >> >> Yes :) There's a significant amount that needs to happen in the >> third-party >> verifiers to understand and appreciate the risk of certain behaviours ;) >> >> >> other's need coordination with Mozilla's >>> root program, and I think Cory's proposal highlights one way of making >>> that >>> happen. >>> >> >> >> Right, but these already flow into the NSS trust store - when appropriate. >> I'm sure you can understand when a piece of logic is _not_ implemented in >> NSS (e.g. because it's not generic beyond the case of browsers), that it >> seems weird to put it in/expose it in NSS :) >> >> To be clear: I'm not trying to suggest it's an entirely unreasonable >> request, merely an explanation of the constraints around it and why the >> current approach is employed that tries to balance what's right for >> Mozilla >> users and the overall NSS using community :) >> >> > Can you please get it into your thick skull that this thread is NOT > ABOUT NSS, IT IS ABOUT ALL THE OTHER X.509 LIBRARIES that can be > configured to use a copy of the Mozilla Root store! > > > Enjoy > > Jakob > -- > Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com > Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 > This public discussion message is non-binding and may contain errors. > WiseMo - Remote Service Management for PCs, Phones and Embedded > _______________________________________________ > dev-security-policy mailing list > [email protected] > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
