So is Mozilla becoming, in effect, just a browser company? If email is de-prioritized and code signing is on life support, that would be good to know before getting too bogged down with issues that aren't necessarily important to Mozilla. I'm just trying to understand where the boundaries are.
Continuing on, I'd like to know if Mozilla has plans regarding the code signing BR that is working its way through CABF? There is some good stuff in there that would be an improvement over current policies (although it still has gaps itself). Also it might be worthwhile to probe some of the CA's who already have the code signing trust bit enabled. They might have customers (or maybe just marketing campaigns?) who rely on a particular root precisely for code signing purposes. Original Message From: Kathleen Wilson Sent: Monday, September 14, 2015 11:47 AM On 9/11/15 10:55 AM, Brian Smith wrote: > The same argument applies to email. Nobody wants to admit that Thunderbird > is dead, it is uncomfortable to know that the S/MIME handling in > Thunderbird has been unmaintained for at least half a decade, and it's a > little embarrassing to admit that the model we use for deciding which CAs > get the SSL trust bit works even less well for S/MIME and that basically > nobody cares about the S/MIME or code signing bits. But that's all true. > It's my professional opinion that if you actually care about S/MIME > security then it would be a mistake to use Thunderbird. (Sorry, people > volunteering to keep Thunderbird going.) I still use Thunderbird, so I appreciate the volunteers who continue to support it! Anyways, let's not discuss the Email trust bit in this particular discussion thread. I would like to keep this particular discussion focused on the policy proposal to remove the Code Signing trust bit. We will have a separate discussion about the Email trust bit later when we talk about the following item: https://wiki.mozilla.org/CA:CertificatePolicyV2.3#General_Policy_Cleanup -- (D27) Clarify which audit criteria are required depending on which trust bits are set. In particular, root certs with only the S/MIME trust bit set will have different audit criteria requirements than root certs with the Websites trust bit set. When we have that discussion, please feel free to re-voice your opinion about completely removing the Email trust bit, and I can also clarify what checks we currently do when a CA asks for the Email trust bit. Thanks, Kathleen _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
