On Monday, 12 June 2017 17:31:58 UTC+1, Steve Medin wrote: > We think it is critically important to distinguish potential removal of > support for current roots in Firefox versus across NSS. Limiting Firefox > trust to a subset of roots while leaving NSS unchanged would avoid > unintentionally damaging ecosystems that are not browser-based but rely on > NSS-based roots such as code signing, closed ecosystems, libraries, etc.
Abusing NSS to support code signing or "closed ecosystems" would be an error regardless of what happens to Symantec, it makes no real sense for us to prioritize supporting such abuse. To the extent that m.d.s.policy represents consumers of NSS certdata other than Firefox, they've _already_ represented very strongly that what they want is for this data to follow Mozilla's trust decisions more closely not less. I have no doubt that Symantec believes it could make more money if archaic Symantec-controlled CA roots remain in NSS certdata forever but it doesn't serve Mozilla's wider purpose to allow that, nor does it serve the purpose of the non-Mozilla people on m.d.s.policy. Further the use of NSS certdata in libraries is absolutely key to a secure Web PKI. I spent a good portion of last week and will probably spend more time yet chasing problems with such libraries. It may well suit Symantec to be able to tell their customers "We can issue you anything [for a fee] and it'll be trusted by libraries" knowing you've advocated for this, but it hurts the Relying Parties because it exposes them to unlimited risk which will be disclaimed later as "not affecting Firefox". _______________________________________________ dev-security-policy mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-security-policy