Hey Sid, can you give an update on this action plan? https://groups.google.com/group/mozilla.dev.security/browse_thread/thread/f8afac1eef7cb4cd/
Gerv had given an update last June: https://groups.google.com/group/mozilla.dev.security/msg/2b50d4d8dee715ba
After the few meetings and a couple of hours of discussion in the last two days, we've made a short list of desired upgrades for NSS/PSM for the near term. This message should hopefully serve as a summary of the technical bits that -- based on the discussions -- seemed most urgent. Here they are, prioritized into three buckets: - A (things we want soonest) - B (things we want fairly soon) - C (things we want, but after A and B are done) Bucket A: - Move to libpkix for all cert validation (bug 479393) - Complete active distrust in NSS (bug 470994) - Implement callbacks to augment validation checking (bug 644640) - Implement subscription-based blocklisting of certs via update ping (remove need to ship patch) Bucket B: - Implement OCSP Stapling (bug 360420) - Implement date-based revocation (distrust certs after specific date) - CA locking functionality in HSTS or via CAA Bucket C: - Disable cert overrides for *very old* expired certs (might not be in any CRLs anymore)
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
