On Friday, September 23, 2016 at 9:31:14 AM UTC-7, Jakob Bohm wrote: > 2.2: Mozilla also makes an e-mail client (Thunderbird) which uses the > same CA root list and the same NSS security library to check e-mail > certificates. E-mail trust bits are still part of the Mozilla CA root > database.
That is, but there's no set of industry policies with respect to e-mail certificates, there's no need (and plenty of reason not to) log e-mail certificates to CT logs, there is no profile of email certificates, and there is no participation from Thunderbird maintainers. As with below, you are raising a concern that, however accurate, because of the realities of the situation have little to no bearing, on a practical matter, in the discussion. > 2.3: Some non-Mozilla projects still use the Mozilla CA root list to > check code and document signatures, because the Mozilla CA root program > is the only major CA root program run in an open source fashion. Thus > the discussions on this mailing list would tend to inform the > maintainers of some of those projects regarding their setting of code > signing trust bits. As has been repeatedly mentioned, those other applications are out of scope, the application developers and maintainers do not participate in these discussions, and so while your affected parties certainly exist, there's nothing this community can or should do further with respect to this. That is, as with any project, you can't say to upstream "Don't change this, this will break downstream", if downstream is not involved and participating in the discussions. If Downstream wants to avoid breakage, downstream should work with upstream. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy