On 05/07/17 18:08, Ryan Sleevi wrote: > That is, the difference between, say: > "label": "Verisign/RSA Secure Server CA" > And > CKA_LABEL "Verisign/RSA Secure Server CA"
Not much, but you've picked the clearest part of certdata.txt to compare :-) > It isn't, because JSON can't. As Rob notes, you can basically have them in all but name. > I'm thinking you may have misunderstood? Are you suggesting certdata.txt is > canonical or not? Otherwise, they can't continue doing it hat way - they > would have to use whatever format you adopt, and whatever new tools. I apologise that I seem not to have made this clear; my suggestion is that the new file is canonical and (near-)complete, and certdata.txt, ExtendedValidation.cpp and other files get generated from it, whenever NSS/Firefox want to take a new release of the root store. > Would you see it being as independent, or subservient to Firefox? If you > saw it as independent, then you would presumably need to ensure that - like > today - Firefox-specific needs, like EV or trust restrictions, did not > creep into the general code. I don't think that follows. EV trustworthiness is a property of the root store. The root program makes those decisions, and it's entirely appropriate that they be encoded in root program releases. We also make decisions on "trust restrictions", so I'm not sure why you call that a "Firefox-specific need". > Of course, it seems like your argument is you want to express the Firefox > behaviors either directly in NSS (as some trust restrictions are, via code) > or via some external, shared metafile, which wouldn't be relevant to > non-Firefox consumers. Perhaps this is the disconnect. Several non-Firefox consumers have said they are very interested in an encoding of the root program's partial trust decisions. > doing - they're interested in what Firefox is doing, and to get that, they > would need to consume certdata.txt as well. No, because they could consume whatever copy of the upstream file Firefox had imported. I don't expect "Mozilla's root store's trust view" and "Trusted by Firefox" ever to diverge, apart from due to time skew, and perhaps occasionally due to unencodeable restrictions. Anyway, off on holiday, back in 3 weeks :-) Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
