On Monday, 12 June 2017 17:31:58 UTC+1, Steve Medin  wrote:
> We think it is critically important to distinguish potential removal of 
> support for current roots in Firefox versus across NSS. Limiting Firefox 
> trust to a subset of roots while leaving NSS unchanged would avoid 
> unintentionally damaging ecosystems that are not browser-based but rely on 
> NSS-based roots such as code signing, closed ecosystems, libraries, etc.

Abusing NSS to support code signing or "closed ecosystems" would be an error 
regardless of what happens to Symantec, it makes no real sense for us to 
prioritize supporting such abuse. To the extent that m.d.s.policy represents 
consumers of NSS certdata other than Firefox, they've _already_ represented 
very strongly that what they want is for this data to follow Mozilla's trust 
decisions more closely not less.

I have no doubt that Symantec believes it could make more money if archaic 
Symantec-controlled CA roots remain in NSS certdata forever but it doesn't 
serve Mozilla's wider purpose to allow that, nor does it serve the purpose of 
the non-Mozilla people on m.d.s.policy.

Further the use of NSS certdata in libraries is absolutely key to a secure Web 
PKI. I spent a good portion of last week and will probably spend more time yet 
chasing problems with such libraries. It may well suit Symantec to be able to 
tell their customers "We can issue you anything [for a fee] and it'll be 
trusted by libraries" knowing you've advocated for this, but it hurts the 
Relying Parties because it exposes them to unlimited risk which will be 
disclaimed later as "not affecting Firefox".
dev-security-policy mailing list

Reply via email to