On 29/07/17 23:45, Peter Bowen wrote:
> First, when the server authentication trust will bits be removed from
> the existing roots.  This is of notable importance for non-Firefox
> users of NSS.  Based on the Chrome email, it looks like they will
> remove trust bits in their git repo around August 23, 2018.  When will
> NSS remove the trust bits?

The NSS trust store represents Mozilla's decisions about what is
trustworthy. However, particularly if we match Chrome's dates, there is
a slightly unusual situation as we have taken a decision on
trustworthiness but, for other reasons, Firefox still trusts those certs
for a period. So one might well ask, should the decision be implemented
in NSS earlier than, or at the same time as, or even later than, Firefox
implements it? A good question.

> Second, how the dates apply to email protection certificates, if at
> all.  Chrome only deals with server authentication certificates, so
> their decision does not cover other types of certificates.  Will the
> email protection trust bits be turned off at some point?

Absent the bandwidth to spend more time on email-specific issues with
our root store, I would expect to stop trusting all the same roots for
email as well, at the same time.

> Third, what the requirements are for Symantec to submit new roots,
> including any limit to how many may be submitted.
> https://ccadb-public.secure.force.com/mozilla/IncludedCACertificateReport
> shows that there are currently 20 Symantec roots included.  Would it
> be reasonable for them to submit replacements on a 1:1 basis -- that
> is 20 new roots?

No. A new submission would be treated as any new submission. My guess
without talking to Symantec was that they might want four roots, for a
2x2 matrix of {RSA, ECC} and {EV, non-EV}. A figure in that ballpark
would be acceptable.

dev-security-policy mailing list

Reply via email to