I was digging through the NSS source code, and I ran across two undocumented trust flags: CERTDB_INVISIBLE_CA and CERTDB_GOVT_APPROVED_CA .
As far as I can tell, CERTDB_INVISIBLE_CA seems to indicate that the UI should hide the existence of the CA from the user, while CERTDB_GOVT_APPROVED_CA seems to have something to do with crypto export regulations. I'm wondering if anyone can explain what exactly the intended purpose of these flags is, and whether they actually have any effect in any of the NSS software ecosystem (including Firefox, but also including the NSS certificate verifier, any of the various NSS tools distributed by Mozilla, and anything else that uses NSS that you're aware of). I can't think of any reason for CERTDB_INVISIBLE_CA to exist (other than making it easier for backdoors to be stealthily inserted, which I assume isn't the intended use case), and I'm also surprised that CERTDB_GOVT_APPROVED_CA is a thing in 2018 since (as far as I know) crypto export regulations haven't existed for a couple of decades. Cheers, -- -Jeremy Rand Lead Application Engineer at Namecoin Mobile email: [email protected] Mobile OpenPGP: 2158 0643 C13B B40F B0FD 5854 B007 A32D AB44 3D9C Send non-security-critical things to my Mobile with OpenPGP. Please don't send me unencrypted messages. My business email [email protected] is having technical issues at the moment.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
