On 10/7/20 9:30 AM, Matthew Hardeman wrote:
Would it be unreasonable to also consider publishing, as an "easy to use"
list, that set of only those anchors which are currently trusted in the
program and for which no exceptional in-product policy enforcement is
imposed? (TLD constraints, provisional distrusts, etc.)
The lazier implementers are going to take the raw set of anchors and none
of the policy associated, and so the default assumption should be that none
of the enhanced policy enforcements from nss or firefox would get copied
along.
These reports are automatically generated by CCADB (Salesforce), so I
cannot filter out all of the exceptions that may occur or that are
currently listed in https://wiki.mozilla.org/CA/Additional_Trust_Changes
I could add a report that filters out root certificates that are
name-constrained. However, there is currently only one name-constrained
included root cert, and this option ended up not being very popular
among CAs requesting root inclusion.
Also note that in Mozilla's program being name-constrained does not
release the CA from following the same rules that all of the other CAs
have to follow.
Therefore, I'm not currently inclined to add another report to filter
out name-constrained root certs (currently just the one root cert).
Thanks,
Kathleen
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy