Eddy,
Eddy Nigg wrote:
- software that uses NSS but isn't a product of Mozilla
Those products have to figure out where they pick up NSS.
Various vendors have come up with different solutions.
Both Sun and Red Hat have integrated NSS into the OS, and you can get
the NSS libraries automatically updated by updating the OS.
Unfortunately, currently the process can take more than a couple of days
at Sun after we produce them for the patches to be up in the Solaris
update manager (sigh - don't get me started on that).
I don't know how long it takes at Red Hat from the time they build NSS
to the time customers can download these patches.
How to reach them within a reasonable useful time? I guess controlling
that on the software level is problematic. For one, I'd expect MS to be
fastest under such circumstances - at least for those that update their
OS....same for other supported operating systems (like Red Hat), but a
lot slower for applications which ship the crypto library (like NSS) as
part of their software.
Yes, applications that bundle NSS are indeed the slowest to get the updates.
Just imagine that one of the roots in NSS would have been affected by
the Debian fiasco - pretty much anybody out there could have played
CA...for days, maybe weeks, maybe beyond. That's scary.
Indeed. That's why we try to ensure that never happens - by having
strong security requirements on every root we bundle.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
