On 15/08/17 13:59, Ryan Sleevi wrote: > Note: adding to certdata.txt, at present, will have various undesirable > side-effects: > > - Distrust records, without associated certs, can present UI issues when > viewing and editing (which is why the associated certs are included in > certdata.txt)
The current distrust records do have associated certs, right? > - Distrust records, _with_ associated certs, can present UI issues when > viewing and editing (yes, it's a no-win, and that's the point) I assume you mean UI issues in Firefox/Thunderbird specifically? > - Distrust records, _with_ associated certs, can present new challenges for > distributions that patch (failing to include a new root = things don't work > that should. failing to distrust an old certificate = things that shouldn't > work, do) However, these are existing rather than new challenges, given that we already have such certificates in the store. > Could you indicate what you believe 'big' distrusts are versus 'little' > distrusts? Are we talking root vs subordinate CA? Something else? "Big" probably means Diginotar-scale Internet hoo-ha. Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy