Re: Remove Roots used for only Email and CodeSigning?

On 24/09/15 17:50, Kai Engert wrote: > A Java runtime can include its own root store. > > For OpenJDK on Fedora Linux, my understanding is, we configure it to use the > system's trust store, which contains the Mozilla trust bits. Do we know how different that makes the behaviour from a JDK which

Re: Remove Roots used for only Email and CodeSigning?

On 24/09/15 17:24, Kai Engert wrote: > In past versions of Firefox, there was code that checked for a signature in > the > Add-On, and the user interface that asked for permission to install displayed > information found in the signature (the name of the owner of the code signing > certificate).

Re: Remove Roots used for only Email and CodeSigning?

On Mon, 2015-09-07 at 13:58 +0100, Gervase Markham wrote: > On 04/09/15 14:09, Phillip Hallam-Baker wrote: > > Has Mozilla stopped supporting Thunderbird? > > No. Mozilla-the-project still develops and supports Thunderbird. > > I had thought this was about code signing only, but reading back, I

Re: Remove Roots used for only Email and CodeSigning?

On Fri, 2015-09-04 at 14:26 +0200, Hubert Kario wrote: > On Thursday 03 September 2015 11:22:26 Kathleen Wilson wrote: > > 2) Remove included root certs that only have the Code Signing trust > > bit enabled. To our knowledge, no one is using such root certs via > > the NSS root store. > > I'm not

Re: Remove Roots used for only Email and CodeSigning?

On Fri, 2015-09-04 at 11:25 +0200, Kurt Roeckx wrote: > On 2015-09-03 20:22, Kathleen Wilson wrote: > > 2) Remove included root certs that only have the Code Signing trust bit > > enabled. To our knowledge, no one is using such root certs via the NSS > > root store. > > I'm wondering how you

Re: Remove Roots used for only Email and CodeSigning?

On 18/09/15 09:55, Rob Stradling wrote: > But since there are no current plans to change Thunderbird... > Does this mean that Thunderbird still has a use for code signing > certificates from commercial CAs and, consequently, the NSS code signing > trust bit? That would be a question for the

Re: Remove Roots used for only Email and CodeSigning?

On 17/09/15 12:19, Rob Stradling wrote: > On 15/09/15 10:17, Gervase Markham wrote: >> On 11/09/15 22:06, Rob Stradling wrote: >>> On 11/09/15 13:05, Gervase Markham wrote: On 08/09/15 10:54, Rob Stradling wrote: > Assuming this is still Mozilla's plan, please would you clarify which

Re: Remove Roots used for only Email and CodeSigning?

On 15/09/15 10:17, Gervase Markham wrote: > On 11/09/15 22:06, Rob Stradling wrote: >> On 11/09/15 13:05, Gervase Markham wrote: >>> On 08/09/15 10:54, Rob Stradling wrote: Assuming this is still Mozilla's plan, please would you clarify which versions of Firefox and Thunderbird will be

Re: Remove Roots used for only Email and CodeSigning?

On 11/09/15 22:06, Rob Stradling wrote: > On 11/09/15 13:05, Gervase Markham wrote: >> On 08/09/15 10:54, Rob Stradling wrote: >>> Assuming this is still Mozilla's plan, please would you clarify which >>> versions of Firefox and Thunderbird will be (or were?) the first >>> versions that won't

Re: Remove Roots used for only Email and CodeSigning?

On 08/09/15 10:54, Rob Stradling wrote: > Hi Gerv. > > It seems clear from [1] that Firefox (and Thunderbird?) does (or at > least did) use the NSS code signing trust bit for the purpose of > verifying that addons/extensions have been signed by publicly-trusted > code signing certs. > > I'm

Re: Remove Roots used for only Email and CodeSigning?

Hi Ryan, Thank you for your thought-provoking critique :-) Much appreciated. On 07/09/15 17:54, Ryan Sleevi wrote: > Once included, what criteria do they need to abide by? Only Item 7 from > the Inclusion policy - >

Re: Remove Roots used for only Email and CodeSigning?

Hi Gerv. It seems clear from [1] that Firefox (and Thunderbird?) does (or at least did) use the NSS code signing trust bit for the purpose of verifying that addons/extensions have been signed by publicly-trusted code signing certs. I'm aware that over the past year Mozilla have been looking at

Re: Remove Roots used for only Email and CodeSigning?

On Tue, September 8, 2015 11:04 am, Kurt Roeckx wrote: > As already pointed out, this is probably at least used by java on > most Linux distributions. When you say "Java", it would be helpful to clarify. Oracle/Sun operate their own root store for Java, so this presumably would be

Re: Remove Roots used for only Email and CodeSigning?

On Tue, Sep 8, 2015 at 3:22 PM, Ryan Sleevi wrote: > On Tue, September 8, 2015 11:04 am, Kurt Roeckx wrote: > > As already pointed out, this is probably at least used by java on > > most Linux distributions. > > When you say "Java", it would be helpful to

Re: Remove Roots used for only Email and CodeSigning?

Ryan Sleevi schrieb: I fear that others using the store for S/MIME or code-signing would think the same as you. The reality is that this is not the case, which is why it's all the more reason to make an informed decision. As it stands, you could do each of those things I explicitly mentioned

Re: Remove Roots used for only Email and CodeSigning?

On Tue, September 8, 2015 9:13 am, Jürgen Brauckmann wrote: > Ryan, > > sorry, I don't understand you. You cannot pass an Webtrust for CAs audit > when you do the things you mentioned. There is no difference between > email/codesigning certs and TLS server certs. Juergen, The unfortunate

Re: Remove Roots used for only Email and CodeSigning?

On Tue, September 8, 2015 12:10 am, Jürgen Brauckmann wrote: > No, they would not abide to mozillas policies, because they would > violate the requirements set forth by the audit schemes. > > Juergen Hi Juergen, I fear that others using the store for S/MIME or code-signing would think the

Re: Remove Roots used for only Email and CodeSigning?

On 9/3/15 11:22 AM, Kathleen Wilson wrote: After some discussion with folks on the NSS team, here's a proposal: 1) Add an item to the "To Be Discussed" section of https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3 to update Mozilla's CA Cert Policy to clarify which audit

Re: Remove Roots used for only Email and CodeSigning?

On Tue, Sep 08, 2015 at 10:58:39AM -0700, Kathleen Wilson wrote: > 28. Remove Code Signing trust bits. As of Firefox 38, add-ons are signed > using Mozilla's own roots. There doesn't appear to be anyone else using the > roots in the NSS root store for Code Signing. -- currently under discussion >

Re: Remove Roots used for only Email and CodeSigning?

On Tue, Sep 8, 2015 at 11:04 AM, Kurt Roeckx wrote: > On Tue, Sep 08, 2015 at 10:58:39AM -0700, Kathleen Wilson wrote: >> 28. Remove Code Signing trust bits. As of Firefox 38, add-ons are signed >> using Mozilla's own roots. There doesn't appear to be anyone else using the >>

Re: Remove Roots used for only Email and CodeSigning?

On 04/09/15 14:09, Phillip Hallam-Baker wrote: > Has Mozilla stopped supporting Thunderbird? No. Mozilla-the-project still develops and supports Thunderbird. I had thought this was about code signing only, but reading back, I was wrong. I would certainly oppose deprecating the email bit in our

Re: Remove Roots used for only Email and CodeSigning?

On Mon, September 7, 2015 5:58 am, Gervase Markham wrote: > On 04/09/15 14:09, Phillip Hallam-Baker wrote: > > Has Mozilla stopped supporting Thunderbird? > > No. Mozilla-the-project still develops and supports Thunderbird. > > I had thought this was about code signing only, but reading back, I

Re: Remove Roots used for only Email and CodeSigning?

On 2015-09-03 20:22, Kathleen Wilson wrote: 2) Remove included root certs that only have the Code Signing trust bit enabled. To our knowledge, no one is using such root certs via the NSS root store. I'm wondering how you currently support things like java applets. As far as I understand for

Re: Remove Roots used for only Email and CodeSigning?

On Thursday 03 September 2015 11:22:26 Kathleen Wilson wrote: > 2) Remove included root certs that only have the Code Signing trust > bit enabled. To our knowledge, no one is using such root certs via > the NSS root store. I'm not familiar with the project, but Fedora Shared System

Re: Remove Roots used for only Email and CodeSigning?

On Fri, Sep 4, 2015 at 4:53 AM, Gervase Markham wrote: > On 03/09/15 19:22, Kathleen Wilson wrote: > > 2) Remove included root certs that only have the Code Signing trust bit > > enabled. To our knowledge, no one is using such root certs via the NSS > > root store. > > This

Re: Remove Roots used for only Email and CodeSigning?

After some discussion with folks on the NSS team, here's a proposal: 1) Add an item to the "To Be Discussed" section of https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3 to update Mozilla's CA Cert Policy to clarify which audit criteria are required depending on which

Re: Remove Roots used for only Email and CodeSigning?

Thank you, we too consider general policy related discussions separate from specific Root inclusion applications. As for email trust bit enabled Roots, isn't TB another popular product from Mozilla? However I'm not sure if NSS currently stores any "code signing only" roots. Thanks, M.D. On

Re: Remove Roots used for only Email and CodeSigning?

On Mon, August 31, 2015 4:02 pm, Kathleen Wilson wrote: > I have always viewed my job as running the NSS root store, which has > many consumers, including (but not limited to) Mozilla Firefox. So, to > remove something like root certs that only have the email trust bit > enabled requires input

Re: Remove Roots used for only Email and CodeSigning?

I'm afraid there seems to be a bit misinterpretation of ETSI policies: EVCP, EVCP+, DVCP, OVCP are based on the same general requirements and have cumulative effect: higher level (e.g. EVCP) conformance assessment assumes lower level conformence while the opposite is not true. In other words

Re: Remove Roots used for only Email and CodeSigning?

On Mon, August 31, 2015 5:48 pm, Moudrick M. Dadashov wrote: > I'm afraid there seems to be a bit misinterpretation of ETSI policies: > EVCP, EVCP+, DVCP, OVCP are based on the same general requirements and > have cumulative effect: higher level (e.g. EVCP) conformance assessment > assumes

Re: Remove Roots used for only Email and CodeSigning?

On 9/1/2015 3:56 AM, Ryan Sleevi wrote: On Mon, August 31, 2015 5:48 pm, Moudrick M. Dadashov wrote: I'm afraid there seems to be a bit misinterpretation of ETSI policies: EVCP, EVCP+, DVCP, OVCP are based on the same general requirements and have cumulative effect: higher level (e.g.