Nelson Bolyard wrote: > Mozilla's policy governs > certificates that will be used by NSS-based software, which includes most > (not all) of Mozilla's products. Mozilla's policy attempts to ensure that > the security of Mozilla's products' users will be adequately protected when > certs issued by CAs in its trusted root list are relied upon by Mozilla's > NSS-based software. Mozilla's policy does not state that the CA certs > approved for Mozilla's trusted CA list are "safe" for use in any other > products than Mozilla's NSS-based products. (Right Frank? :)
Our policy addresses certs as included in NSS, and thence in Mozilla-based products shipped under Foundation auspices that incorporate NSS. People may choose to use our root CA certificate set in other contexts, but they are on their own in doing so. (Strictly speaking we can't even take responsibility for use of NSS and its root list in Mozilla-based products shipped by third parties; however in practice the security issues for such products are likely to be the same as for Firefox et.al.) > This suggests to me that Mozilla should NOT approve for inclusion any > certs for root CAs that rely on any constraining cert extensions > (name constraints aren't the only ones) that are not implemented in NSS. This sounds reasonable at first glance, but I admit to being a bit leary about adopting such a policy. If we generalized this to something like "Mozilla should NOT approve for inclusion any certs for root CAs that rely on features not implemented in NSS", then, for example, it seems we would never approve any CAs that provide CRLs for EE cert revocation checking but not OCSP, given that NSS doesn't currently implement CRL checking by default. (Begin digression. This takes me back to a previous offer of mine: If there are features gaps in NSS that should be fixed, and they're not going to get fixed given resource constraints on the current NSS developer groups, I'd be happy to entertain requests to have the Mozilla Foundation fund the work. End digression.) Getting back to the point under discussion: Perhaps it would help if you could describe exactly which other constraining cert extensions a CA might use that are not implemented in NSS. Then we could determine what the practical effect would be of your suggested policy change. > I might even suggest that Mozilla's root CA policy be amended to explicitly > disclaim any responsibility for security of users who rely on the certs in > Mozilla's root CA list, but use them with other non-Mozilla software. That might not be a bad idea for a future revision. Frank -- Frank Hecker [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
