On 28/03/12 02:40, John Nagle wrote:
On 9/2/2011 11:42 PM, Daniel Veditz wrote:
On 8/31/11 3:52 PM, Hill, Brad wrote:
Mozilla could add a certificate it controls to the trusted root
store with which it cross-signs other CA certs, adding a
nameConstraints in the process, yes?
In theory. In practice Firefox uses the historical certificate
verification code and not the NSS pkix code, and the old code does
not support constraints. We are working through a list of pkix bugs
with the goal of switching over.
-Dan Veditz
Excellent. That work should be pushed.
John, one of the NSS/PSM developers said to me recently...
"If only someone contributed developer manpower to NSS, in order to get
the bugs fixed that currently block us from switching to libPKIX by
default..."
So if your organization has any suitably skilled developers with time on
their hands, then I think contributing developer manpower would be the
most effective thing you could do to push this work along.
<snip>
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
