At 10:10 AM +0000 3/23/07, Gervase Markham wrote: >Kyle Hamilton wrote: >> The Mozilla Foundation is the authority which determines whether a >> given root certificate is included in its default certificate list. >> If you're going to assert that it's "provable", you suddenly create a >> lot more liability for the Foundation -- because it's not provable. >> For example, if you upgrade Firefox, does the root certificate store >> get replaced? > >Yes, potentially.
If true, this is a security bug. If I have removed FooCA because they have been proven untrustworthy, and the Mozilla Foundation adds it back in when I do a needed update for security reasons, that is a violation of basic security principles. If the cert store gets replaced *silently*, that is a horrible security bug. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
