On Mon, Jun 19, 2017 at 7:01 PM, Jakob Bohm via dev-security-policy < [email protected]> wrote:
> NSS until fairly recently was in fact used for code signing of Firefox > extensions using the public PKI (this is why there is a defunct code > signing trust bit in the NSS root store). > This is not an accurate representation on why there is a code signing trust bit in the NSS root store. > I also believe that the current checking of "AMO" signatures is still > done by NSS, but not using the public PKI. > If you mean with respect to code, sure, but that is a generic signature checking. > This makes it completely reasonable for other users of the NSS libraries > to still use it for code signing, provided that the "code signing" trust > bits in the NSS root store are replaced with an independent list, > possibly based on the CCADB. > This is not correct. The NSS team has made it clear the future of this code with respect to its suitability as a generic "code signing" functionality - that is, that it is not. > It also makes it likely that systems with long development / update > cycles have not yet deployed their own replacement for the code signing > trust bits in the NSS root store, even if they have a semi-automated > system importing changes to the NSS root store. That would of cause be > a mistake on their part, but a very likely mistake. This was always a mistake, not a recent one. But a misuse of the API does not make a valid use case. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
