On 7/30/2014 12:17 PM, Kathleen Wilson wrote: > On 7/28/14, 11:00 AM, Brian Smith wrote: >> I suggest that, instead of including the cross-signing certificates in >> the NSS certificate database, the mozilla::pkix code should be changed >> to look up those certificates when attempting to find them through NSS >> fails. That way, Firefox and other products that use NSS will have a >> lot more flexibility in how they handle the compatibility logic. > > > There's already a bug for fetching missing intermediates: > https://bugzilla.mozilla.org/show_bug.cgi?id=399324 > > I think it would help with removal of roots (the remaining 1024-bit > roots, non-BR-complaint roots, SHA1 roots, retired roots, etc.), and IE > has been supporting this capability for a long time. > > So, Should we do this? > Does it introduce security concerns? > > Kathleen >
I do indeed have a security concern over this. If a server's operator is lax in updating intermediate certificates or (worse) not installing necessary intermediate certificates, that indicates poor or non-existent attention to necessary security procedures. That raises the question: What other security lapses exist for that server? Having a browser automatically supply a missing intermediate certificate or replacing an incorrect one with the correct one effectively hides other possible security lapses. -- David E. Ross The Crimea is Putin's Sudetenland. The Ukraine will be Putin's Czechoslovakia. See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy