Ian,
Ian G wrote:
Also, add the caveat that this guesstimate only applies Mozilla
product, and not these:
- software that uses NSS but isn't a product of Mozilla
- other libraries
They have to sort themselves out.
Whether we can do much about the other vendors is an open question.
From the business perspective, I would suggest that we try to craft
a solution for Mozilla, at least, and then see what happens. One
step at a time.
Any products in the above category have to have their own policy to deal
with security issues. Most of them already do. Usually the urgency of
them is dealt with on a case-by-case basis depending in particular on
whether a workaround for the problem exists.
Clearly, if a root gets compromised, there are already workarounds -
such as disabling the trust for that root, or not using the root cert
module at all - which many government or corporate customers of
NSS-based Sun servers do.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
