On Wed, Dec 24, 2008 at 1:42 PM, Nelson B Bolyard <nel...@bolyard.me> wrote: > Kyle Hamilton wrote, On 2008-12-23 21:20: >> On Tue, Dec 23, 2008 at 6:16 PM, Nelson B Bolyard <nel...@bolyard.me> wrote: >>> Anyway, I would support the creation of a "CA certificate" non-code module. >> >> I think this would be a really good idea. I'm aware that my opinion >> carries little weight, but I think that since it relies on business- >> and legal-side undertakings, it shouldn't be managed by the coders. >> >> How would this work? Split nssckbi out to be managed by the non-code >> module owner, though a coder would need to be enlisted to finalize the >> decisions made by that person? > > No, it would be a NON-CODE module. It would not contain any code. > Its output would be the list of trusted root certs, perhaps as a web page, > and/or also as a set of requests (in the form of Bugzilla bugs) to have > certs inserted into nssckbi. > > nssckbi is just a medium for the conveyance of that list, potentially one > of several. The task for the NSS module owner would be to ensure that > the copy of the list in nssckbi is kept reasonably up to date, and doesn't > differ from the official list (or a very recent version of that list) as of > the date on which it is released. > > That's really how things operate now. I'm merely suggesting that that > separation of responsibility be formalized by making the maintenance of > the official CA list be a separate "module".
Thanks for the explanation. I do agree that the separation of responsibility would be good, since Frank (appears to?) does the actual CA approval and you appear to be the one primarily who implements his directives as regards the updates to nssckbi? -Kyle H _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
