On Fri, Sep 11, 2015 at 06:56:49AM +0300, Moudrick M. Dadashov wrote: > On 9/11/2015 3:23 AM, Peter Bowen wrote: > >On Thu, Sep 10, 2015 at 3:54 PM, Peter Kurrasch <fhw...@gmail.com> wrote: > >>It should be understood that code signing is very important in the > >>embedded space--just ask Tesla or Jeep/Chrysler or Nest or other IoT > >>product developers. If we accept that premise, the question immediately > >>becomes: How do we put together a good code-signing system and how does > >>(should?) Mozilla products factor in to that system? > > > >I'm not that familiar with the embedded space, but I'm not clear how public > >code signing certificates help these companies. A public code signing > >certificate is basically an IV/OV/EV certificate without any DNS Names or > >IP Addresses in the SAN extension. It is an identity certificate, which > >identifies either an individual or an organization. > > > >In the embedded space, I would assume there is no human to make these > >decisions, so I'm not clear on the value of a code signing certificate. > > Even if there is a human to make these decisions, in the embedded space the > decision actually is made by the manufacturer of a device at the embedding > time. So indeed no choice for the human to challenge the decision which is > relies on a particular code signing certificate. I'm not sure if this > reliance is static or assumes regular online status check.
If the device relies on a *single* code-signing certificate (or a small number of them), then this change won't have any effect: this is for removing the trust bit on *root* CA certificates. The only situation in which this change is going to impact an embedded vendor is if they allow anyone with an issued code signing cert to run code on their device. If there are any devices out there that are relying on the Mozilla root program's list of code-signing trust anchors, I'd love to know who they are. Further, even if Mozilla stops managing the code-signing trust bit in NSS, it won't have any practical impact on anyone out there. Mozilla applies no meaningful, applicable, specific checks to requests for inclusion for code-signing. There is no value in Mozilla managing this, over and above an embedded vendor or consortium managing this themselves. - Matt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
