On Wed, Jul 30, 2014 at 12:17:27PM -0700, Kathleen Wilson wrote:
> On 7/28/14, 11:00 AM, Brian Smith wrote:
> >I suggest that, instead of including the cross-signing certificates in
> >the NSS certificate database, the mozilla::pkix code should be changed
> >to look up those certificates when attempting to find them through NSS
> >fails. That way, Firefox and other products that use NSS will have a
> >lot more flexibility in how they handle the compatibility logic.
> 
> 
> There's already a bug for fetching missing intermediates:
> https://bugzilla.mozilla.org/show_bug.cgi?id=399324
> 
> I think it would help with removal of roots (the remaining 1024-bit
> roots, non-BR-complaint roots, SHA1 roots, retired roots, etc.), and
> IE has been supporting this capability for a long time.
> 
> So, Should we do this?
> Does it introduce security concerns?

No more so than allowing servers to provide intermediates in the TLS
handshake.  It's all untrusted info as far as the browser's concerned, until
it performs the path validation.

- Matt

_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to