On 24/09/15 17:50, Kai Engert wrote:
> A Java runtime can include its own root store.
>
> For OpenJDK on Fedora Linux, my understanding is, we configure it to use the
> system's trust store, which contains the Mozilla trust bits.
Do we know how different that makes the behaviour from a JDK which
On 24/09/15 17:24, Kai Engert wrote:
> In past versions of Firefox, there was code that checked for a signature in
> the
> Add-On, and the user interface that asked for permission to install displayed
> information found in the signature (the name of the owner of the code signing
> certificate).
On Mon, 2015-09-07 at 13:58 +0100, Gervase Markham wrote:
> On 04/09/15 14:09, Phillip Hallam-Baker wrote:
> > Has Mozilla stopped supporting Thunderbird?
>
> No. Mozilla-the-project still develops and supports Thunderbird.
>
> I had thought this was about code signing only, but reading back, I
On Fri, 2015-09-04 at 14:26 +0200, Hubert Kario wrote:
> On Thursday 03 September 2015 11:22:26 Kathleen Wilson wrote:
> > 2) Remove included root certs that only have the Code Signing trust
> > bit enabled. To our knowledge, no one is using such root certs via
> > the NSS root store.
>
> I'm not
On Fri, 2015-09-04 at 11:25 +0200, Kurt Roeckx wrote:
> On 2015-09-03 20:22, Kathleen Wilson wrote:
> > 2) Remove included root certs that only have the Code Signing trust bit
> > enabled. To our knowledge, no one is using such root certs via the NSS
> > root store.
>
> I'm wondering how you
On 18/09/15 09:55, Rob Stradling wrote:
> But since there are no current plans to change Thunderbird...
> Does this mean that Thunderbird still has a use for code signing
> certificates from commercial CAs and, consequently, the NSS code signing
> trust bit?
That would be a question for the
On 17/09/15 12:19, Rob Stradling wrote:
> On 15/09/15 10:17, Gervase Markham wrote:
>> On 11/09/15 22:06, Rob Stradling wrote:
>>> On 11/09/15 13:05, Gervase Markham wrote:
On 08/09/15 10:54, Rob Stradling wrote:
> Assuming this is still Mozilla's plan, please would you clarify which
On 15/09/15 10:17, Gervase Markham wrote:
> On 11/09/15 22:06, Rob Stradling wrote:
>> On 11/09/15 13:05, Gervase Markham wrote:
>>> On 08/09/15 10:54, Rob Stradling wrote:
Assuming this is still Mozilla's plan, please would you clarify which
versions of Firefox and Thunderbird will be
On 11/09/15 22:06, Rob Stradling wrote:
> On 11/09/15 13:05, Gervase Markham wrote:
>> On 08/09/15 10:54, Rob Stradling wrote:
>>> Assuming this is still Mozilla's plan, please would you clarify which
>>> versions of Firefox and Thunderbird will be (or were?) the first
>>> versions that won't
On 08/09/15 10:54, Rob Stradling wrote:
> Hi Gerv.
>
> It seems clear from [1] that Firefox (and Thunderbird?) does (or at
> least did) use the NSS code signing trust bit for the purpose of
> verifying that addons/extensions have been signed by publicly-trusted
> code signing certs.
>
> I'm
Hi Ryan,
Thank you for your thought-provoking critique :-) Much appreciated.
On 07/09/15 17:54, Ryan Sleevi wrote:
> Once included, what criteria do they need to abide by? Only Item 7 from
> the Inclusion policy -
>
Hi Gerv.
It seems clear from [1] that Firefox (and Thunderbird?) does (or at
least did) use the NSS code signing trust bit for the purpose of
verifying that addons/extensions have been signed by publicly-trusted
code signing certs.
I'm aware that over the past year Mozilla have been looking at
On Tue, September 8, 2015 11:04 am, Kurt Roeckx wrote:
> As already pointed out, this is probably at least used by java on
> most Linux distributions.
When you say "Java", it would be helpful to clarify.
Oracle/Sun operate their own root store for Java, so this presumably would
be
On Tue, Sep 8, 2015 at 3:22 PM, Ryan Sleevi wrote:
> On Tue, September 8, 2015 11:04 am, Kurt Roeckx wrote:
> > As already pointed out, this is probably at least used by java on
> > most Linux distributions.
>
> When you say "Java", it would be helpful to
Ryan Sleevi schrieb:
I fear that others using the store for S/MIME or code-signing would think
the same as you. The reality is that this is not the case, which is why
it's all the more reason to make an informed decision.
As it stands, you could do each of those things I explicitly mentioned
On Tue, September 8, 2015 9:13 am, Jürgen Brauckmann wrote:
> Ryan,
>
> sorry, I don't understand you. You cannot pass an Webtrust for CAs audit
> when you do the things you mentioned. There is no difference between
> email/codesigning certs and TLS server certs.
Juergen,
The unfortunate
On Tue, September 8, 2015 12:10 am, Jürgen Brauckmann wrote:
> No, they would not abide to mozillas policies, because they would
> violate the requirements set forth by the audit schemes.
>
> Juergen
Hi Juergen,
I fear that others using the store for S/MIME or code-signing would think
the
On 9/3/15 11:22 AM, Kathleen Wilson wrote:
After some discussion with folks on the NSS team, here's a proposal:
1) Add an item to the "To Be Discussed" section of
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
to update Mozilla's CA Cert Policy to clarify which audit
On Tue, Sep 08, 2015 at 10:58:39AM -0700, Kathleen Wilson wrote:
> 28. Remove Code Signing trust bits. As of Firefox 38, add-ons are signed
> using Mozilla's own roots. There doesn't appear to be anyone else using the
> roots in the NSS root store for Code Signing. -- currently under discussion
>
On Tue, Sep 8, 2015 at 11:04 AM, Kurt Roeckx wrote:
> On Tue, Sep 08, 2015 at 10:58:39AM -0700, Kathleen Wilson wrote:
>> 28. Remove Code Signing trust bits. As of Firefox 38, add-ons are signed
>> using Mozilla's own roots. There doesn't appear to be anyone else using the
>>
On 04/09/15 14:09, Phillip Hallam-Baker wrote:
> Has Mozilla stopped supporting Thunderbird?
No. Mozilla-the-project still develops and supports Thunderbird.
I had thought this was about code signing only, but reading back, I was
wrong. I would certainly oppose deprecating the email bit in our
On Mon, September 7, 2015 5:58 am, Gervase Markham wrote:
> On 04/09/15 14:09, Phillip Hallam-Baker wrote:
> > Has Mozilla stopped supporting Thunderbird?
>
> No. Mozilla-the-project still develops and supports Thunderbird.
>
> I had thought this was about code signing only, but reading back, I
On 2015-09-03 20:22, Kathleen Wilson wrote:
2) Remove included root certs that only have the Code Signing trust bit
enabled. To our knowledge, no one is using such root certs via the NSS
root store.
I'm wondering how you currently support things like java applets. As
far as I understand for
On Thursday 03 September 2015 11:22:26 Kathleen Wilson wrote:
> 2) Remove included root certs that only have the Code Signing trust
> bit enabled. To our knowledge, no one is using such root certs via
> the NSS root store.
I'm not familiar with the project, but Fedora Shared System
On Fri, Sep 4, 2015 at 4:53 AM, Gervase Markham wrote:
> On 03/09/15 19:22, Kathleen Wilson wrote:
> > 2) Remove included root certs that only have the Code Signing trust bit
> > enabled. To our knowledge, no one is using such root certs via the NSS
> > root store.
>
> This
After some discussion with folks on the NSS team, here's a proposal:
1) Add an item to the "To Be Discussed" section of
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
to update Mozilla's CA Cert Policy to clarify which audit criteria are
required depending on which
Thank you, we too consider general policy related discussions separate
from specific Root inclusion applications.
As for email trust bit enabled Roots, isn't TB another popular product
from Mozilla? However I'm not sure if NSS currently stores any "code
signing only" roots.
Thanks,
M.D.
On
On Mon, August 31, 2015 4:02 pm, Kathleen Wilson wrote:
> I have always viewed my job as running the NSS root store, which has
> many consumers, including (but not limited to) Mozilla Firefox. So, to
> remove something like root certs that only have the email trust bit
> enabled requires input
I'm afraid there seems to be a bit misinterpretation of ETSI policies:
EVCP, EVCP+, DVCP, OVCP are based on the same general requirements and
have cumulative effect: higher level (e.g. EVCP) conformance assessment
assumes lower level conformence while the opposite is not true.
In other words
On Mon, August 31, 2015 5:48 pm, Moudrick M. Dadashov wrote:
> I'm afraid there seems to be a bit misinterpretation of ETSI policies:
> EVCP, EVCP+, DVCP, OVCP are based on the same general requirements and
> have cumulative effect: higher level (e.g. EVCP) conformance assessment
> assumes
On 9/1/2015 3:56 AM, Ryan Sleevi wrote:
On Mon, August 31, 2015 5:48 pm, Moudrick M. Dadashov wrote:
I'm afraid there seems to be a bit misinterpretation of ETSI policies:
EVCP, EVCP+, DVCP, OVCP are based on the same general requirements and
have cumulative effect: higher level (e.g.
31 matches
Mail list logo