Nelson B Bolyard wrote: > Eddy Nigg wrote, On 2008-07-23 14:30: >> Nelson B Bolyard: >>> [...], when it sends the http get request to fetch the cert, it has >>> not yet validated the cert from which it got the http URL, so it doesn't >>> know if that URL is legitimate or from some hacker. It blindly fetches >>> whatever the server at that URL sends it. Quite a few people view this >>> as a security vulnerability and/or as a privacy vulnerability. That may >>> well be a reason that FF3 doesn't use it. >> [...] > > The case of concern is the server with a self-signed cert, or cert from > an unknown CA, that has an AIA extension that points to a tracking host > of some sort. [...]
> [...] > I believe that, within the Mozilla developer community, there is a widely > held misconception that NSS=PSM and the NSS team is the PSM team. But > that's really not correct. Most of the NSS developers are paid to work > on NSS but not on PSM. PSM could use more love, I think. It would help if it was easier to see from the outside where NSS is going. If there was a few 100% PSM staffed ressources that you the NSS team knew well and who had time to follow carefully what you are going and when some integration effort with PSM will be important to do, this extra documentation effort from your side would not be required. But in the current state of things, something will happen only if you attract the effort of someone who is not usually working on PSM, and this will happen only if it's as visible as possible what your are doing, where/when some help would be required, and what the benefits for the Fx commmunity will be. For exemple about the shareable database, your response late in February about that was that there was still a lot left to do for it, and that you didn't see the point unless both Fx and Tb had it and it could be shared between the two. After that answer, I gave up hopes to see it in Firefox 3 and really wouldn't have guessed that the NSS team would go the extra mile to have the functionality included in NSS 12/Firefox 3 with apparently just a little PSM work needed to activate it. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
