On 24/09/15 17:24, Kai Engert wrote:
> In past versions of Firefox, there was code that checked for a signature in
> the
> Add-On, and the user interface that asked for permission to install displayed
> information found in the signature (the name of the owner of the code signing
> certificate).
On 24/09/15 17:50, Kai Engert wrote:
> A Java runtime can include its own root store.
>
> For OpenJDK on Fedora Linux, my understanding is, we configure it to use the
> system's trust store, which contains the Mozilla trust bits.
Do we know how different that makes the behaviour from a JDK which
On Fri, 2015-09-04 at 11:25 +0200, Kurt Roeckx wrote:
> On 2015-09-03 20:22, Kathleen Wilson wrote:
> > 2) Remove included root certs that only have the Code Signing trust bit
> > enabled. To our knowledge, no one is using such root certs via the NSS
> > root store.
>
> I'm wondering how you curre
On Mon, 2015-09-07 at 13:58 +0100, Gervase Markham wrote:
> On 04/09/15 14:09, Phillip Hallam-Baker wrote:
> > Has Mozilla stopped supporting Thunderbird?
>
> No. Mozilla-the-project still develops and supports Thunderbird.
>
> I had thought this was about code signing only, but reading back, I w
On Fri, 2015-09-04 at 14:26 +0200, Hubert Kario wrote:
> On Thursday 03 September 2015 11:22:26 Kathleen Wilson wrote:
> > 2) Remove included root certs that only have the Code Signing trust
> > bit enabled. To our knowledge, no one is using such root certs via
> > the NSS root store.
>
> I'm not
On Fri, 2015-09-04 at 09:53 +0100, Gervase Markham wrote:
> On 03/09/15 19:22, Kathleen Wilson wrote:
> > 2) Remove included root certs that only have the Code Signing trust bit
> > enabled. To our knowledge, no one is using such root certs via the NSS
> > root store.
>
> This seems like a half-wa
On 18/09/15 09:55, Rob Stradling wrote:
> But since there are no current plans to change Thunderbird...
> Does this mean that Thunderbird still has a use for code signing
> certificates from commercial CAs and, consequently, the NSS code signing
> trust bit?
That would be a question for the Thunde
On 17/09/15 12:19, Rob Stradling wrote:
> On 15/09/15 10:17, Gervase Markham wrote:
>> On 11/09/15 22:06, Rob Stradling wrote:
>>> On 11/09/15 13:05, Gervase Markham wrote:
On 08/09/15 10:54, Rob Stradling wrote:
> Assuming this is still Mozilla's plan, please would you clarify which
>
On 15/09/15 10:17, Gervase Markham wrote:
> On 11/09/15 22:06, Rob Stradling wrote:
>> On 11/09/15 13:05, Gervase Markham wrote:
>>> On 08/09/15 10:54, Rob Stradling wrote:
Assuming this is still Mozilla's plan, please would you clarify which
versions of Firefox and Thunderbird will be (o
On 11/09/15 22:06, Rob Stradling wrote:
> On 11/09/15 13:05, Gervase Markham wrote:
>> On 08/09/15 10:54, Rob Stradling wrote:
>>> Assuming this is still Mozilla's plan, please would you clarify which
>>> versions of Firefox and Thunderbird will be (or were?) the first
>>> versions that won't accep
On 11/09/15 13:05, Gervase Markham wrote:
> On 08/09/15 10:54, Rob Stradling wrote:
>> Assuming this is still Mozilla's plan, please would you clarify which
>> versions of Firefox and Thunderbird will be (or were?) the first
>> versions that won't accept "normal CA-issued object-signing certificate
On 08/09/15 10:54, Rob Stradling wrote:
> Assuming this is still Mozilla's plan, please would you clarify which
> versions of Firefox and Thunderbird will be (or were?) the first
> versions that won't accept "normal CA-issued object-signing certificates" ?
Extension signing was historically very r
On 08/09/15 10:54, Rob Stradling wrote:
> Hi Gerv.
>
> It seems clear from [1] that Firefox (and Thunderbird?) does (or at
> least did) use the NSS code signing trust bit for the purpose of
> verifying that addons/extensions have been signed by publicly-trusted
> code signing certs.
>
> I'm aware
On Wed, Sep 9, 2015 at 11:43 AM, Hubert Kario wrote:
> On Tuesday 08 September 2015 11:08:50 Peter Bowen wrote:
> > On Tue, Sep 8, 2015 at 11:04 AM, Kurt Roeckx wrote:
> > > On Tue, Sep 08, 2015 at 10:58:39AM -0700, Kathleen Wilson wrote:
> > >> 28. Remove Code Signing trust bits. As of Firefox
On 9/9/2015 8:43 AM, Hubert Kario wrote:
> On Tuesday 08 September 2015 11:08:50 Peter Bowen wrote:
>> On Tue, Sep 8, 2015 at 11:04 AM, Kurt Roeckx wrote:
>>> On Tue, Sep 08, 2015 at 10:58:39AM -0700, Kathleen Wilson wrote:
28. Remove Code Signing trust bits. As of Firefox 38, add-ons are
>>>
On Tuesday 08 September 2015 11:08:50 Peter Bowen wrote:
> On Tue, Sep 8, 2015 at 11:04 AM, Kurt Roeckx wrote:
> > On Tue, Sep 08, 2015 at 10:58:39AM -0700, Kathleen Wilson wrote:
> >> 28. Remove Code Signing trust bits. As of Firefox 38, add-ons are
> >> signed using Mozilla's own roots. There do
On Tue, Sep 08, 2015 at 12:22:27PM -0700, Ryan Sleevi wrote:
> On Tue, September 8, 2015 11:04 am, Kurt Roeckx wrote:
> > As already pointed out, this is probably at least used by java on
> > most Linux distributions.
>
> When you say "Java", it would be helpful to clarify.
>
> Oracle/Sun opera
On Tue, Sep 8, 2015 at 3:22 PM, Ryan Sleevi wrote:
> On Tue, September 8, 2015 11:04 am, Kurt Roeckx wrote:
> > As already pointed out, this is probably at least used by java on
> > most Linux distributions.
>
> When you say "Java", it would be helpful to clarify.
>
> Oracle/Sun operate their o
On Tue, September 8, 2015 11:04 am, Kurt Roeckx wrote:
> As already pointed out, this is probably at least used by java on
> most Linux distributions.
When you say "Java", it would be helpful to clarify.
Oracle/Sun operate their own root store for Java, so this presumably would
be non-Oracle/Su
On Tue, Sep 8, 2015 at 11:04 AM, Kurt Roeckx wrote:
> On Tue, Sep 08, 2015 at 10:58:39AM -0700, Kathleen Wilson wrote:
>> 28. Remove Code Signing trust bits. As of Firefox 38, add-ons are signed
>> using Mozilla's own roots. There doesn't appear to be anyone else using the
>> roots in the NSS root
On Tue, Sep 08, 2015 at 10:58:39AM -0700, Kathleen Wilson wrote:
> 28. Remove Code Signing trust bits. As of Firefox 38, add-ons are signed
> using Mozilla's own roots. There doesn't appear to be anyone else using the
> roots in the NSS root store for Code Signing. -- currently under discussion
> i
On 9/3/15 11:22 AM, Kathleen Wilson wrote:
After some discussion with folks on the NSS team, here's a proposal:
1) Add an item to the "To Be Discussed" section of
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
to update Mozilla's CA Cert Policy to clarify which audit crit
On Tue, September 8, 2015 9:13 am, Jürgen Brauckmann wrote:
> Ryan,
>
> sorry, I don't understand you. You cannot pass an Webtrust for CAs audit
> when you do the things you mentioned. There is no difference between
> email/codesigning certs and TLS server certs.
Juergen,
The unfortunate rea
On Tue, Sep 8, 2015 at 9:13 AM, Jürgen Brauckmann
wrote:
> Ryan Sleevi schrieb:
>>
>> I fear that others using the store for S/MIME or code-signing would think
>> the same as you. The reality is that this is not the case, which is why
>> it's all the more reason to make an informed decision.
>>
>>
Ryan Sleevi schrieb:
I fear that others using the store for S/MIME or code-signing would think
the same as you. The reality is that this is not the case, which is why
it's all the more reason to make an informed decision.
As it stands, you could do each of those things I explicitly mentioned and
On Tue, September 8, 2015 12:10 am, Jürgen Brauckmann wrote:
> No, they would not abide to mozillas policies, because they would
> violate the requirements set forth by the audit schemes.
>
> Juergen
Hi Juergen,
I fear that others using the store for S/MIME or code-signing would think
the sam
Hi Gerv.
It seems clear from [1] that Firefox (and Thunderbird?) does (or at
least did) use the NSS code signing trust bit for the purpose of
verifying that addons/extensions have been signed by publicly-trusted
code signing certs.
I'm aware that over the past year Mozilla have been looking at re
Hi Ryan,
Thank you for your thought-provoking critique :-) Much appreciated.
On 07/09/15 17:54, Ryan Sleevi wrote:
> Once included, what criteria do they need to abide by? Only Item 7 from
> the Inclusion policy -
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/poli
Ryan Sleevi schrieb:
Under the current inclusion policies, what would prohibit Honest Achmed's
Used CA from offering code-signing or email certificates? Achmed would
need an audit - under either ETSI TS 101 456 v1.4.3 with QCP, WebTrust
"Principles and Criteria for Certification Authorities 2.0",
On Mon, September 7, 2015 5:58 am, Gervase Markham wrote:
> On 04/09/15 14:09, Phillip Hallam-Baker wrote:
> > Has Mozilla stopped supporting Thunderbird?
>
> No. Mozilla-the-project still develops and supports Thunderbird.
>
> I had thought this was about code signing only, but reading back, I
On 04/09/15 14:09, Phillip Hallam-Baker wrote:
> Has Mozilla stopped supporting Thunderbird?
No. Mozilla-the-project still develops and supports Thunderbird.
I had thought this was about code signing only, but reading back, I was
wrong. I would certainly oppose deprecating the email bit in our ro
On Fri, Sep 4, 2015 at 4:53 AM, Gervase Markham wrote:
> On 03/09/15 19:22, Kathleen Wilson wrote:
> > 2) Remove included root certs that only have the Code Signing trust bit
> > enabled. To our knowledge, no one is using such root certs via the NSS
> > root store.
>
> This seems like a half-way
On 2015-09-04 15:09, Phillip Hallam-Baker wrote:
Has Mozilla stopped supporting Thunderbird?
Thunderbird really has stopped being a priority. We're lucky we still
get updates, it's still somewhat supported.
But I also receive S/MIME and use the Mozilla trust store to check them.
And it c
On Mon, Aug 31, 2015 at 7:02 PM, Kathleen Wilson
wrote:
> Breaking this out into a separate discussion:
>
> ...should Mozilla continue to accept
>> certificates without the "Websites" trust bit? Considering that there are
>> not clear guidelines for how to process either code signing or email, an
On Thursday 03 September 2015 11:22:26 Kathleen Wilson wrote:
> 2) Remove included root certs that only have the Code Signing trust
> bit enabled. To our knowledge, no one is using such root certs via
> the NSS root store.
I'm not familiar with the project, but Fedora Shared System
Certificates[1
On 2015-09-03 20:22, Kathleen Wilson wrote:
2) Remove included root certs that only have the Code Signing trust bit
enabled. To our knowledge, no one is using such root certs via the NSS
root store.
I'm wondering how you currently support things like java applets. As
far as I understand for s
On 03/09/15 19:22, Kathleen Wilson wrote:
> 2) Remove included root certs that only have the Code Signing trust bit
> enabled. To our knowledge, no one is using such root certs via the NSS
> root store.
This seems like a half-way house. If no-one is using our root store as a
code-signing root stor
After some discussion with folks on the NSS team, here's a proposal:
1) Add an item to the "To Be Discussed" section of
https://wiki.mozilla.org/CA:CertPolicyUpdates#Consider_for_Version_2.3
to update Mozilla's CA Cert Policy to clarify which audit criteria are
required depending on which trust
On 9/1/2015 3:56 AM, Ryan Sleevi wrote:
On Mon, August 31, 2015 5:48 pm, Moudrick M. Dadashov wrote:
I'm afraid there seems to be a bit misinterpretation of ETSI policies:
EVCP, EVCP+, DVCP, OVCP are based on the same general requirements and
have cumulative effect: higher level (e.g. EVCP
On Mon, August 31, 2015 5:48 pm, Moudrick M. Dadashov wrote:
> I'm afraid there seems to be a bit misinterpretation of ETSI policies:
> EVCP, EVCP+, DVCP, OVCP are based on the same general requirements and
> have cumulative effect: higher level (e.g. EVCP) conformance assessment
> assumes lowe
I'm afraid there seems to be a bit misinterpretation of ETSI policies:
EVCP, EVCP+, DVCP, OVCP are based on the same general requirements and
have cumulative effect: higher level (e.g. EVCP) conformance assessment
assumes lower level conformence while the opposite is not true.
In other words i
On Mon, August 31, 2015 4:02 pm, Kathleen Wilson wrote:
> I have always viewed my job as running the NSS root store, which has
> many consumers, including (but not limited to) Mozilla Firefox. So, to
> remove something like root certs that only have the email trust bit
> enabled requires input
Thank you, we too consider general policy related discussions separate
from specific Root inclusion applications.
As for email trust bit enabled Roots, isn't TB another popular product
from Mozilla? However I'm not sure if NSS currently stores any "code
signing only" roots.
Thanks,
M.D.
On
Breaking this out into a separate discussion:
...should Mozilla continue to accept
certificates without the "Websites" trust bit? Considering that there are
not clear guidelines for how to process either code signing or email, and
considering their relevance (or lack thereof) to Mozilla, it woul
44 matches
Mail list logo