On 2017-07-12 16:12, Ryan Sleevi wrote:
I don't know if this currently happens, but I would like to see all CA
certificates that are in OneCRL but are not revoked to be added to the root
store as distrusted too.
Why? I can share reasons why it might not be desirable, but rather than
start out negatively, I was hoping you could expand upon the reasons for
including.
My understanding is that certdata.txt is what is the trust of the root
store is, and that OneCRL is mostly a browser only thing to get
revocation information, but is also (ab)used to distrust something.
The certdata.txt currently does explicitly list CA certificates that
shouldn't be trusted.
As far as I know external user of the trust information currently only
use certdata.txt. So only adding it to OneCRL will not reach all the
users of the trust store.
It could be that maybe the combination is what should be used, but as
far as I know it's not documented as such and I doubt it gets used much
outside Mozilla products.
Kurt
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy
