On Mon, Jun 19, 2017 at 7:01 PM, Jakob Bohm via dev-security-policy <
dev-security-policy@lists.mozilla.org> wrote:

> NSS until fairly recently was in fact used for code signing of Firefox
> extensions using the public PKI (this is why there is a defunct code
> signing trust bit in the NSS root store).
>

This is not an accurate representation on why there is a code signing trust
bit in the NSS root store.


> I also believe that the current checking of "AMO" signatures is still
> done by NSS, but not using the public PKI.
>

If you mean with respect to code, sure, but that is a generic signature
checking.


> This makes it completely reasonable for other users of the NSS libraries
> to still use it for code signing, provided that the "code signing" trust
> bits in the NSS root store are replaced with an independent list,
> possibly based on the CCADB.
>

This is not correct. The NSS team has made it clear the future of this code
with respect to its suitability as a generic "code signing" functionality -
that is, that it is not.


> It also makes it likely that systems with long development / update
> cycles have not yet deployed their own replacement for the code signing
> trust bits in the NSS root store, even if they have a semi-automated
> system importing changes to the NSS root store.  That would of cause be
> a mistake on their part, but a very likely mistake.


This was always a mistake, not a recent one. But a misuse of the API does
not make a valid use case.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to