There are 9 NSS bugs requesting new root CA certs and/or changes to trust flags on existing root CA certs in NSS. See them at
<https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&product=NSS&component=CA+Certificates&resolution=---&chfieldto=2009-05-17&chfield=%5BBug+creation%5D&order=Bug+Number> Today, I "took" those bugs and implemented them, creating a large patch, which I attached to bug 493660. I have the right to do that because I am one of NSS's module owners. I also attached to that bug a build of nssckbi.dll that can be tested with any Firefox 3.0.x build for Win32 that was built and distributed by Mozilla. (It uses Mozilla's custom C run-time library, which only works with Mozilla's builds for Windows.) The normal testing procedure also involves building test builds for Linux and MacOS/X. I didn't build test builds of nssckbi for those platforms. I would welcome others here to take the patch from bug 493660 and build optimized builds of nssckbi for MaxOSX or Linux and attach their nssckbi builds (only that file) to that bug. The next step is for the CAs to test the nssckbi DLL that I built and report if it is satisfactory (or more specifically, if it does what their respective NSS RFE asked for it to do). Now, I don't want to set unrealistic expectations, so I must inform you that I have NO idea whether Mozilla Corporation will accept any additional NSS changes at this point or not. Three weeks ago, Bob Relyea and I wrote to MoCo powers-that-be asking about this, and we're still awaiting an answer. Maybe Frank can make something good happen there. There are 6 PSM bugs, requesting that certain root CA certs be EV-enabled. You may see those at: <https://bugzilla.mozilla.org/buglist.cgi?query_format=advanced&short_desc_type=allwords&short_desc=Enable+EV&product=Core&component=Security%3A+PSM&resolution=---&bug_severity=enhancement&chfieldto=Now&order=Bug+Number> I am not a PSM module owner or peer, and do not have the right to take those bugs. It would be good if one of the PSM module peers would take those and implement them. But again, I do not know if those changes will be accepted for FF 3.5 at this late time, or not. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto