On Tue, Jun 27, 2017 at 1:49 PM Gervase Markham via dev-security-policy < [email protected]> wrote:
> On 27/06/17 10:35, Ryan Sleevi wrote: > > If that is the goal, it may be useful to know what the proposed > limitations > > / dependencies are. For example, the translation of the txt to the c file > > generated non-trivial concern among the NSS development team to support. > > I propose it be part of the checkin process (using a CI tool or similar) > rather than part of the build process. Therefore, there would be no new > build-time dependencies for NSS developers. This was something the NSS developers explicitly moved away from with respect to certdata.c > For example, one possible suggestion is to adopt a scheme similar to, or > > identical to, Microsoft's authroot.stl, which is PKCS#7, with attributes > > for indicating age and expiration, and the ability to extend with > > vendor-specific attributes as needed. One perspective would be to say > that > > Mozilla should just use this work. > > That's one option. I would prefer something which is both human and > computer-readable, as certdata.txt (just about) is. Why? Opinions without justification aren't as useful ;) (To be fair, this is broadly about articulating and agreeing use cases before too much effort is spent) Apple suggested they'd like to make this data available; my hope would > be that if a format could be defined, they might be persuaded to adopt it. And if they can't, is that justified? That is, it sounds like you're less concerned about cross-vendor interoperability, and only concerned with Apple interoperability. Is that correct? > Further, one could > > reasonably argue that an authroot.stl approach would trouble Apple, much > as > > other non-SDO driven efforts have, due to IP concerns in the space. > > Presumably, such collaboration would need to occur somewhere with > > appropriate IP protections. > > Like, really? Developing a set of JSON name-value pairs to encode some > fairly simple structured data has potential IP issues? What kind of mad > world do we live in? It doesn't matter the format - it matters how and where it was developed. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
