On 7/30/2014 3:14 PM, David E. Ross wrote: > On 7/30/2014 12:17 PM, Kathleen Wilson wrote: >> On 7/28/14, 11:00 AM, Brian Smith wrote: >>> I suggest that, instead of including the cross-signing certificates in >>> the NSS certificate database, the mozilla::pkix code should be changed >>> to look up those certificates when attempting to find them through NSS >>> fails. That way, Firefox and other products that use NSS will have a >>> lot more flexibility in how they handle the compatibility logic. >> >> >> There's already a bug for fetching missing intermediates: >> https://bugzilla.mozilla.org/show_bug.cgi?id=399324 >> >> I think it would help with removal of roots (the remaining 1024-bit >> roots, non-BR-complaint roots, SHA1 roots, retired roots, etc.), and IE >> has been supporting this capability for a long time. >> >> So, Should we do this? >> Does it introduce security concerns? >> >> Kathleen >> > > I do indeed have a security concern over this. > > If a server's operator is lax in updating intermediate certificates or > (worse) not installing necessary intermediate certificates, that > indicates poor or non-existent attention to necessary security > procedures. That raises the question: What other security lapses exist > for that server? > > Having a browser automatically supply a missing intermediate certificate > or replacing an incorrect one with the correct one effectively hides > other possible security lapses. >
Furthermore, automatically providing an intermediate certificate when none or a bad one is found on the server only encourages further lax security procedures. -- David E. Ross The Crimea is Putin's Sudetenland. The Ukraine will be Putin's Czechoslovakia. See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy