Daniel Veditz <dved...@mozilla.com> wrote: > I don't think we can restrict it to add-ons since external programs like > Superfish (and the Lenovo removal tool, for that matter) write directly > into the NSS profile database. It would be a bunch of work for precisely > zero win.
mozilla::pkix makes it so that you can ignore the NSS profile database, if you wish to do so. > Could we make the "real" and only root accepted by Firefox be a Mozilla > root, which cross-signs all the built-in NSS roots as well as any > corporate roots submitted via this kind of program? This is effectively what the built-in roots module already does, except the Mozilla root CA certificate is implied instead of explicit. > I thought pkix gave us those kinds of abilities. mozilla::pkix offers a lot of flexibility in terms of how certificate trust is determined. > Or we could reject any added root that wasn't logged in CT, and then put > a scanner on the logs looking for self-signed CA=true certs. Of course > that puts the logs in the crosshairs for spam and DOS attacks. Those spam and DoS attacks are why logs are specified (required? recommended?) to not accept those certificates. If Mozilla wanted to, it is totally possible to make an extension API that allows an extension, when it is not disabled, to provide PSM with a list of roots that should be accepted as trust anchors. And, it is totally possible for PSM to aggregate those lists of extension-provided trust anchors and use that list, in conjunction with the read-only built-in roots module, to determine certificate trust, while ignoring the read/write profile certificate database. Whether or not that is a good idea is not for me to decide. But, it would not be a huge amount of work to implement. Cheers, Brian _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
