Heikki Toivonen wrote: > Frank Hecker wrote: > >>Nelson B Bolyard wrote: >> >>>So, where's the official list of CA certs in mozilla? >> >>Right now we don't have such an official list, other than what's in the >>source code itself. I've never had the time to go through the source and >>create a web page with a list of CAs, especially with the additional >>information I try to collect, like web site URLs, policy documents, >>links to WebTrust audit reports, URLs for CRLs and OCSP, etc.).
Having no "specification" other than the source code means having *NO* specification against which to ask (and settle) the question: is the source code right? When the source code *IS* its own specification, then the source code never disagrees with the specification, and indeed the source code is always correct *by definition*, being always 100% in agreement with the specification (itself). > I would suggest adding the additional info as comments into the > http://lxr.mozilla.org/seamonkey/source/security/nss/lib/ckfw/builtins/certdata.txt > file itself. The problem we're having right now is that people are accusing the developers of certdata.* of having accidentally or deliberately failed to have put all the Frank-approved certs into the source code. They're saying (in effect) "Frank approved this cert, but it's not in the file". Either they're right, and this is an omission, or they're wrong, and this is an attempt to get mozilla to add certs to the trusted CA list without going through the formal process that Frank's policy requires. Frankly (no pun intended), I suspect the latter. Now, if the file itself is the specification of what belongs in the file, then I can just tell these people to go away. I can tell them "the file matches the specification, so your complaint is invalid". But that's disingenuous, and we all know it. I went to Frank's old hecker.org web site, expecting it to still contain the table of all the old certs that Frank ever reviewed and approved (or didn't [yet] approve). But it appears to be that the table on that page has been trimmed down. Perhaps many table entries were removed when the corresponding certs were put into NSS. Bottom line: I have no public "reference" document to which I can refer and say "that is the official answer, if it's in that list, then it belongs in NSS< and if it's not, then it doesn't". Without such a list NSS developers will always be vulnerable to accusations such as the ones now being leveled at NSS. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
