On 09/26/2009 02:39 AM, Kathleen Wilson:
If it would be reasonable to mark a root cert as “untrusted” in NSS, we could also consider this option... If a root were to be compromised, and marked as untrusted, it could be treated as though all of the trust bits are unset, and not allow the user to set any of the trust bits. This would be safer than removing the root from NSS, because it would prevent the user from importing and trusting the root.
I think NSS/PSM needs to have an option to completly disable the possibility to turn the trust bits on - specially for compromised roots. At least the UI in FF/UI should remove the edit flags for those roots. For example the MD5 CA cert derived from the GeoTrust root should not be open to editing. Perhaps we could "fix" this at two different levels, it seems to me that a fix in PSM would be easier and faster to implement. Later maybe some functionality could be added to NSS to prevent enabling a compromised root.
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
