On Wed, Sep 9, 2015 at 11:43 AM, Hubert Kario <hka...@redhat.com> wrote:
> On Tuesday 08 September 2015 11:08:50 Peter Bowen wrote: > > On Tue, Sep 8, 2015 at 11:04 AM, Kurt Roeckx <k...@roeckx.be> wrote: > > > On Tue, Sep 08, 2015 at 10:58:39AM -0700, Kathleen Wilson wrote: > > >> 28. Remove Code Signing trust bits. As of Firefox 38, add-ons are > > >> signed using Mozilla's own roots. There doesn't appear to be > > >> anyone else using the roots in the NSS root store for Code > > >> Signing. -- currently under discussion in > > >> mozilla.dev.security.policy. > > > > > > As already pointed out, this is probably at least used by java on > > > most Linux distributions. > > > > Are you aware of any Java implementations that use the trust bits? > > From what I've seen most Linux distributions create trust store > > bundles by either ignoring the trust bits or only filtering out > > explicit distrust. > > Fedora 22 does not > > in fact, in /etc/pki/ca-trust/extracted/pem/ you have three files with > the trust stores extracted: > email-ca-bundle.pem > objsign-ca-bundle.pem > tls-ca-bundle.pem > according to the bits present > The question remains -- is anyone using these files? If a tree were to fall in the forest and nobody hear it, we should go ahead and cut it down. > -- > Regards, > Hubert Kario > Quality Engineer, QE BaseOS Security team > Web: www.cz.redhat.com > Red Hat Czech s.r.o., Purkyňova 99/71, 612 45, Brno, Czech Republic > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
