All,
Many people have contacted me because they heard that Mozilla is
considering removing the Email trust bit, and they ask that we keep the
Email trust bit because they use the root certs in Mozilla's root store
(NSS) with the Email trust bit enabled in current and future
projects/products/applications. Gerv has provided some data from CAs in
support of this. [1]
Based on this discussion[2] and all of the input that I have received, I
believe that we should keep the Email trust bit.
However, this discussion has surfaced the valid concerns that we need
resource commitment to improve the policy and practices supporting the
Email trust bit.
Here's what I think the person/people would do for S/MIME roots/certs:
1) Maintain and improve the code in NSS supporting S/MIME.
2) Become an expert in this area, learning about and providing
information about how different countries, organizations, enterprises,
and companies are depending on certs chaining up to publicly-trusted
root certs that have the Email trust bit enabled.
3) Improve policies and requirements for CAs in the NSS root store with
the Email trust bit enabled. This includes determining which audit
criteria are required, and which auditors may be used.
4) Review each of the root inclusion/change requests for roots with the
Email trust bit to be enabled, and provide feedback in
mozilla.dev.security.policy.
5) Contribute to the decisions about whether or not to approve each
request to enable the Email trust bit.
I believe that such a resource commitment would satisfy all of the
arguments against the Email trust bit that Ryan so eloquently
summarized. [3]
Is this a fair assessment?
Is there anything else that should be added to the "job description" above?
Thanks,
Kathleen
[1]https://groups.google.com/d/msg/mozilla.dev.security.policy/atSYV_QPPFA/3NRrmmwBAgAJ
https://groups.google.com/d/msg/mozilla.dev.security.policy/atSYV_QPPFA/9QRe7JlSAwAJ
[2]
https://groups.google.com/d/msg/mozilla.dev.security.policy/atSYV_QPPFA/M6OpyA5FBAAJ
[3]
https://groups.google.com/d/msg/mozilla.dev.security.policy/atSYV_QPPFA/ycC96j6PBAAJ
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy