Kyle Hamilton wrote, On 2008-12-04 10:57: > On Sat, Nov 29, 2008 at 3:57 PM, Frank Hecker > <[EMAIL PROTECTED]> wrote:
>> The primary reason CAs apply to have certificates included into NSS, and the >> primary reason we have a policy about this, is because CAs want their >> customers' SSL certificates recognized in Firefox. > > Then Firefox should fork its version of NSS and manage its own > certificate trust list. Fork it from what? >From what other stream of definitions of sets of trusted CAs would Firefox's defined set be a fork? No one has ever approached the NSS team saying anything remotely like "We have our own organization that evaluates CAs based on a set of criteria and we'd like to see NSS offer our list as an alternative to Mozilla's." > Since there are other clients of NSS, though, NSS has taken it upon > itself to manage its own trust list, "on behalf of" those organizations > that use it, whether those organizations want to use it or not. NSS distributes a trusted CA list from the one and only organization that maintains such a list and has ever offered its list to NSS. For developers of non-Mozilla products, NSS's built-in list is nothing more than a convenient starting place for them to produce their own list. NSS makes it quite easy for developers to modify and/or replace the list in their own copies of NSS sources. (NSS even provides a tool for that purpose.) End users are always in control of the CAs that they trust. The presence of CA certs in the list distributed with Mozilla doesn't force anyone to trust and use all those certs. NSS includes command line tools by which any user can control his own list, and numerous products that use NSS have their own UI by which the end user can manage his own list of trusted CAs. One of the sponsors of NSS development, Sun Microsystems, has its own set of trusted root CA certs that it distributes with Java. Yet the people responsible for that list at Sun have never approached NSS developers asking that NSS adopt or distribute their set of trusted certs. Sun's server products that use NSS are distributed with Mozilla's list of trusted certs intact. I believe that is because that list is seen as a mere convenience for the server admins, not in any way restricting their choices, and therefore there is no perceived need to change it. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
