On Tuesday, 11 October 2016 09:47:20 UTC+1, Gervase Markham wrote: > I guess you could ask a trusted competitor to generate them on new > hardware and hold the HSMs securely, then you include the roots in > Firefox straight away, and then only tell the competitor to release the > HSMs to CA Foo once CA Foo had completed inclusion. But that seems > complicated!
Some of the major root trust stores (e.g. Microsoft, Apple) also operate their own root CA, which they include in that store, for internal purposes at least. I believe none of them is trusted by another root trust store but in principle they could be. Mozilla could choose to do that too, and agree that when a new CA is added to NSS it will use the Mozilla CA (trusted but never used to issue end entity certificates) to cross sign the new CA. The resulting certificate could be included in chains for the new CA's end entity certificates, allowing them to be trusted by older Firefox versions immediately. Does that work? _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
