Re: Remove Roots used for only Email and CodeSigning?

On 18/09/15 09:55, Rob Stradling wrote: > But since there are no current plans to change Thunderbird... > Does this mean that Thunderbird still has a use for code signing > certificates from commercial CAs and, consequently, the NSS code signing > trust bit? That would be a question for the

Re: Remove Roots used for only Email and CodeSigning?

On 17/09/15 12:19, Rob Stradling wrote: > On 15/09/15 10:17, Gervase Markham wrote: >> On 11/09/15 22:06, Rob Stradling wrote: >>> On 11/09/15 13:05, Gervase Markham wrote: On 08/09/15 10:54, Rob Stradling wrote: > Assuming this is still Mozilla's plan, please would you clarify which

Re: Firefox security too strict (HSTS?)?

> > To make my point again, I can't access https://input.mozilla.org/en-US/ > > from Firefox, I have to use Chrome. > In Chrome, navigate to https://input.mozilla.org/en-US/ > and then click the green lock. Click on > the "Connection" tab then cut and paste

Re: Policy Update Proposal: Remove Code Signing Trust Bit

Hi Kathleen,  This summary looks pretty good. I think you could add the point raised by Man Ho which essentially asks the question of who should/can/will evaluate the trustworthiness of root certs. There are pros and cons either way on that one. One last comment I'll make is that, among other

Re: Firefox security too strict (HSTS?)?

Small note, to correct a misunderstanding from earlier in the thread -- even if *.mozilla.org were doing key pinning, Chromium/Chrome will ignore key pins if the observed cert chains up to a user/enterprise-installed root. So that wouldn't cause any issues. -- Eric On Fri, Sep 18, 2015 at 12:06