Re: Tightening up after the Lenovo and Comodo MITM certificates.

2015-02-24 Thread Tyler Szabo
This thread seems fairly focused on a technical solution; whereas I see this problem being more of an informed consent situation. I'm reminded of the discussion leading up to the "know your rights" toolbar and another discussion with respect to whether or not to display HTTP connections with expli

Re: Tightening up after the Lenovo and Comodo MITM certificates.

2015-02-24 Thread Peter Kurrasch
I think focusing on the trusted root store as a way to resolve this problem is (or will be) less than ideal.‎ I understand the desire to look there but I don't think it will necessarily end well. That said I don't have a great alternative myself but I do have some questions: 1) I saw a quote at

Re: Tightening up after the Lenovo and Comodo MITM certificates.

2015-02-24 Thread Brian Smith
Daniel Veditz wrote: > I don't think we can restrict it to add-ons since external programs like > Superfish (and the Lenovo removal tool, for that matter) write directly > into the NSS profile database. It would be a bunch of work for precisely > zero win. mozilla::pkix makes it so that you can i

Re: Tightening up after the Lenovo and Comodo MITM certificates.

2015-02-24 Thread Daniel Veditz
On 2/23/15 3:55 PM, Richard Barnes wrote: > If I understand correctly (dveditz CC'ed to correct me), the current add-on > signing tool has a provision for signing add-ons that are not published > through AMO. They still need to be submitted to AMO to be scanned and > signed, but they're not publis

Re: Tightening up after the Lenovo and Comodo MITM certificates.

2015-02-24 Thread Hubert Kario
On Monday 23 February 2015 18:55:34 Richard Barnes wrote: > On Mon, Feb 23, 2015 at 5:28 PM, Matt Palmer wrote: > > On Mon, Feb 23, 2015 at 02:14:13PM -0800, Clint Wilson wrote: > > > Lots of Enterprises and organizations have very legitimate requirements > > > > to > > > > > add their own inter

RE: Tightening up after the Lenovo and Comodo MITM certificates.

2015-02-24 Thread Medin, Steven
With the vast number of private PKIs created by the CA service included in Windows Server, the enterprise market tends to rely on Active Directory-based distribution within the forests it controls. This leads to an IE mandate, within a network that the owner/operator of the PKI controls. When a p

Re: Tightening up after the Lenovo and Comodo MITM certificates.

2015-02-24 Thread Juergen Christoffel
On 23.02.15 22:39, John Nagle wrote: With the Lenovo and Comodo disclosures, the restrictions on loading new certificates into Firefox clients need to be tightened. The MITM-Ad/Malware installed via the Windows Certificate Store and not into browsers, so I cannot follow your conclusion.