Nelson B wrote:
There are two sets of questions before us regarding this new extension
and the "qualified statements" it contains. they are:
a) what should NSS do about them?
...
In the cited bug, I have proposed to implement this extension in NSS
in a way that makes the support for this extension conditional on the
application that uses NSS. As proposed, if the application that uses
NSS says to NSS, "Trust me, I handle this, you treat it as recognized
and supported", then NSS would do so.
I can't see that NSS can really do much more
than reveal the information. As the critical
bit reaches well into the "policy & politics" layer
(shades of those old ISO 9 layer t-shirts) already,
most if not all of the action has to happen in the
application.
One possibility is that there is some static flag
that is set by the application that says, if a critical
bit is set, then throw an exception. The problem
with this is that even then, it has no meaning,
as the code that interprets the crit is almost
certainly in the application layer, and NSS does
not know what is up there.
One could talk about installing crit handlers
into NSS, but what are they to do? What do
they have access to? Drawing from my remarks
on the security implications of the critical bit
being used against the code, I suspect trying
to define the semantics of these handlers would
be a bit of a nightmare - shades of the Java
sandbox approach, which is vaguely workable
if you spend a lot of time on it, but nobody in
the serious security world that I know of thinks
it qualifies as security.
(I see that you are talking about just that in the
Bug posting...)
So if your API makes that information available
on request to the application, then that seems
about the right thing to do ... to me. The alternate
that NSS should treat the crit as its _responsibility_
in terms of making decisions is troubling.
The question then is, what
will the application(s) do with the info in this extension, if anything?
Which leaves open the question of what the
apps do.
iang
PS: I seem to have shortened "critical bit" to
"crit" in the above...
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
