Nelson Bolyard wrote: > This suggests to me that Mozilla should NOT approve for inclusion any > certs for root CAs that rely on any constraining cert extensions > (name constraints aren't the only ones) that are not implemented in NSS.
This seems wise to me. I take Frank's point about CRL revocation checking. However, that's a historically unusual case. It does seem to me that if Mozilla is not correctly respecting name constraints, then that's a serious problem that needs to be fixed and, if there is a CA whose security model relies on such constraints, we should not admit them until we can meet that requirement. Of course, WISeKey themselves may want to fund the work, if they see that it's blocking their inclusion. > I might even suggest that Mozilla's root CA policy be amended to explicitly > disclaim any responsibility for security of users who rely on the certs in > Mozilla's root CA list, but use them with other non-Mozilla software. This too seems wise. Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
