In mozilla.dev.security, Jeremy Rand <jeremyr...@airmail.cc> wrote: > I was digging through the NSS source code, and I ran across two > undocumented trust flags: CERTDB_INVISIBLE_CA and CERTDB_GOVT_APPROVED_CA . > > As far as I can tell, CERTDB_INVISIBLE_CA seems to indicate that the UI > should hide the existence of the CA from the user, while > CERTDB_GOVT_APPROVED_CA seems to have something to do with crypto export > regulations. I'm wondering if anyone can explain what exactly the > intended purpose of these flags is, and whether they actually have any > effect in any of the NSS software ecosystem (including Firefox, but also > including the NSS certificate verifier, any of the various NSS tools > distributed by Mozilla, and anything else that uses NSS that you're > aware of). I can't think of any reason for CERTDB_INVISIBLE_CA to exist > (other than making it easier for backdoors to be stealthily inserted, > which I assume isn't the intended use case), and I'm also surprised that > CERTDB_GOVT_APPROVED_CA is a thing in 2018 since (as far as I know) > crypto export regulations haven't existed for a couple of decades.
This four year old bug report claims they are not used anymore: https://bugzilla.mozilla.org/show_bug.cgi?id=1045907 Comment 4 (in part): > However, note line 1670. CERTDB_PRESERVE_TRUST_BITS is > (CERTDB_USER | CERTDB_NS_TRUSTED_CA | > CERTDB_VALID_CA | CERTDB_INVISIBLE_CA | CERTDB_GOVT_APPROVED_CA). So these don't have mappings through the PKCS #11 trust interface. CERTDB_USER is set based on finding the associated private key. CERTDB_GOVT_APPROVED_CA is set based on a different PKCS #11 attribute. It's no longer used by NSS. CERTDB_NS_TRUSTED_CA isn't used either. I'm not sure if CERTDB_VALID_CA or CERTDB_INVISIBLE_CA are even stored anymore. I know NSS doesn't actually use them. Not sure if that's the reassurance you want. Elijah ------ agrees that CERTDB_INVISIBLE_CA seems a dangerous thing _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
