I actually think the transparent and reusable root store is a huge value that Mozilla provides. Others are free to use it and can rely on Mozilla to do the due diligence on who they add/remove from the root store. As long as their values, align with Mozilla, they get a transparent and robust process for evaluating roots and root operators. It's great!
On Fri, Feb 7, 2025 at 8:44 AM Mike Shaver <[email protected]> wrote: > On Fri, Feb 7, 2025 at 10:29 AM 'Matthew McPherrin' via > [email protected] <[email protected]> wrote: > >> The "distrust after" dates are specific to root programs like Mozilla, >> and not a CA/B Forum thing at all. There's no "non-standard extensions" ... >> because there's no extensions at all. It is not represented in X509, or in >> any format beyond Mozilla's internal ones. >> >> The fact that Linux distributions and other software like Alpine and curl >> are "copying Mozilla's homework" and not getting the full metadata is a >> problem, but I don't think the fault lies at Mozilla's feet here. >> > > Hear, hear. These distributions are free to maintain their own CA lists if > they would like, or copy Chrome/Microsoft/Apple/Cisco's homework instead. > Or they can do the work to actually process the NSS internal root store in > a way that's semantically-consistent with Firefox's use of it. > > Mike > > -- > You received this message because you are subscribed to a topic in the > Google Groups "[email protected]" group. > To unsubscribe from this topic, visit > https://groups.google.com/a/mozilla.org/d/topic/dev-security-policy/gLhzSzo-XFw/unsubscribe > . > To unsubscribe from this group and all its topics, send an email to > [email protected]. > To view this discussion visit > https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqsSMVs7NuOMWMFydF_68Nrb6iYhOTWZLceGZn9ubEXpCQ%40mail.gmail.com > <https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CADQzZqsSMVs7NuOMWMFydF_68Nrb6iYhOTWZLceGZn9ubEXpCQ%40mail.gmail.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/CAFK%3DoS8H8c_60RF0pFZ8RGh%2Bmn8NUo76svhoikc_grSOuXhtJA%40mail.gmail.com.
