Re: Where is NSS used?
On Wed, 2013-07-10 at 11:20 -0700, Robert Relyea wrote: On 07/08/2013 12:00 PM, Rick Andrews wrote: What context are you talking about? If you remove the roots from firefox using the firefox UI, it won't remove the roots for other applications. I guess Rick talks about getting it removed from the master root CA list maintained by Mozilla. Ryan already gave helpful hints on what to consider. Any change to the list eventually gets wide distribution. Many applications and open source projects use that list, as a recommended set of root CA certificates and trust flags - with NSS or independent of NSS. Kai -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Where is NSS used?
I need to remove some 1024-bit roots from Firefox’s trust store, but I realize that these trusted roots are part of the NSS library, and that the NSS library is used by lots of other software, not just Firefox. Removing these roots may have far-reaching consequences. I understand that there isn't a list of all the different places where NSS is used, but can anyone provide some guidance? Even a broad incomplete list of NSS users is better than nothing. Thanks! -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Where is NSS used?
On Mon, July 8, 2013 12:00 pm, Rick Andrews wrote: I need to remove some 1024-bit roots from Firefoxs trust store, but I realize that these trusted roots are part of the NSS library, and that the NSS library is used by lots of other software, not just Firefox. Removing these roots may have far-reaching consequences. I understand that there isn't a list of all the different places where NSS is used, but can anyone provide some guidance? Even a broad incomplete list of NSS users is better than nothing. Thanks! -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto Rick, I think you may find it better to consider moz.dev.sec.policy, in the hope of reaching the people watching for additions. The issue is that there are a vast, vast number of applications that use the Mozilla Root Certificate Program data, but without using NSS. The removal of these roots would equally affect them. This includes, for example, nearly every major Linux distribution (typically as part of their ca-certificates package), which are further consumed by a variety of applications and libraries (including OpenSSL, GnuTLS, and plenty of 'home-grown' solutions, unfortunately). That said, the operation of Mozilla's Root Program is done according to the needs and abilities of NSS, and these secondary consumers are not 'officially' supported. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Where is NSS used?
On 07/08/2013 12:00 PM, Rick Andrews wrote: I need to remove some 1024-bit roots from Firefox’s trust store, but I realize that these trusted roots are part of the NSS library, and that the NSS library is used by lots of other software, not just Firefox. Removing these roots may have far-reaching consequences. I understand that there isn't a list of all the different places where NSS is used, but can anyone provide some guidance? Even a broad incomplete list of NSS users is better than nothing. Thanks! What context are you talking about? If you remove the roots from firefox using the firefox UI, it won't remove the roots for other applications. The builtins root store is a compiled binary file. Whe you use the firefox UI to remove the root, it creates an entry in your local cert database that says the cert 'has been removed'. It's really still there, but marked as not explicity trusted, which overrided the trust in the builtin's database. Other applications using their own database will not see these changes. bob smime.p7s Description: S/MIME Cryptographic Signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto