On 10/13/2015 8:04 AM, Kathleen Wilson wrote: > All, > > Many people have contacted me because they heard that Mozilla is > considering removing the Email trust bit, and they ask that we keep the > Email trust bit because they use the root certs in Mozilla's root store > (NSS) with the Email trust bit enabled in current and future > projects/products/applications. Gerv has provided some data from CAs in > support of this. [1] > > Based on this discussion[2] and all of the input that I have received, I > believe that we should keep the Email trust bit. > > However, this discussion has surfaced the valid concerns that we need > resource commitment to improve the policy and practices supporting the > Email trust bit. > > Here's what I think the person/people would do for S/MIME roots/certs: > 1) Maintain and improve the code in NSS supporting S/MIME. > 2) Become an expert in this area, learning about and providing > information about how different countries, organizations, enterprises, > and companies are depending on certs chaining up to publicly-trusted > root certs that have the Email trust bit enabled. > 3) Improve policies and requirements for CAs in the NSS root store with > the Email trust bit enabled. This includes determining which audit > criteria are required, and which auditors may be used. > 4) Review each of the root inclusion/change requests for roots with the > Email trust bit to be enabled, and provide feedback in > mozilla.dev.security.policy. > 5) Contribute to the decisions about whether or not to approve each > request to enable the Email trust bit. > > I believe that such a resource commitment would satisfy all of the > arguments against the Email trust bit that Ryan so eloquently > summarized. [3] > > Is this a fair assessment? > > Is there anything else that should be added to the "job description" above? > > Thanks, > Kathleen > > [1]https://groups.google.com/d/msg/mozilla.dev.security.policy/atSYV_QPPFA/3NRrmmwBAgAJ > https://groups.google.com/d/msg/mozilla.dev.security.policy/atSYV_QPPFA/9QRe7JlSAwAJ > > [2] > https://groups.google.com/d/msg/mozilla.dev.security.policy/atSYV_QPPFA/M6OpyA5FBAAJ > > [3] > https://groups.google.com/d/msg/mozilla.dev.security.policy/atSYV_QPPFA/ycC96j6PBAAJ > >
For E-mail, I would much rather use OpenPGP instead of S/MIME. However, the mail-news component alters E-mail and newsgroup messages in a way after they have been encyrpted or signed that renders the encryption or signature invalid. Bug reports about this situation are generally marked Closed/WontFix. -- David E. Ross The Crimea is Putin's Sudetenland. The Ukraine will be Putin's Czechoslovakia. See <http://www.rossde.com/editorials/edtl_PutinUkraine.html>. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
