Julien R Pierre - Sun Microsystems wrote: > Eddy, > > Eddy Nigg wrote: >> On 10/23/2008 12:34 AM, Julien R Pierre - Sun Microsystems: >>>... However reality shows that it takes quite some time until >> a new version of NSS seeps to the application level, including with >> Mozilla's own products (which would be by far the fastest). I'd expect >> that in an emergency a new FF/TB/SM etc. version would be shipped, but >> for those outside of Mozilla making use of NNS it might take month, >> even years. > > If a root ended up being compromised and we heard about it, I can assure > you that we would produce a new NSS release with an update root cert > module with all due haste - meaning probably within a couple of business > days. > > The NSS team always maintains at least 2 versions - a "stable branch" > (currently 3.11.x) and current development version (currently the trunk, > which is 3.12.x) > > FF/TB/SM are indeed often reluctant to take NSS updates when they > contain functionality updates, but I'm sure that for such a major > security problem they would pick up the update as soon as it's available.
OK, could we speculate that Mozo apps also could turn out a security update for their products in ... say 2 business days? Or, what number? And then, we could suggest that the whole process is likely to take a week (5 business days)? This would be an important clue on the whole process, useful for planning at the CA end, and a target & hint to the apps people in the event that this ever happened. Also, add the caveat that this guesstimate only applies Mozilla product, and not these: > - software that uses NSS but isn't a product of Mozilla > - other libraries They have to sort themselves out. Whether we can do much about the other vendors is an open question. From the business perspective, I would suggest that we try to craft a solution for Mozilla, at least, and then see what happens. One step at a time. iang
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
