Are you aware of the multiple discussions about this? :) It's been a long-standing topic on NSS calls.
-
-
Replying to @sleevi_
I've only seen snippets of it over time, wasn't aware it is considered "ongoing". Is it?
1 reply 0 retweets 0 likes -
Replying to @bagder
Yes. RH had a bit of a freakout when realized policies weren't expressed via NSS trust blobs in certdata.txt. ~6mo ago
1 reply 0 retweets 1 like -
So Kathleen & Moz committed to working towards a solution, including bringing moz::pkix into NSS
1 reply 0 retweets 0 likes -
Then during discussion of WoSign, it was rediscovered that Moz trust DB isn't and hasn't been binary for years, so again call for
1 reply 0 retweets 0 likes -
expressing in trust DB. Big issue here is that it's not a static list of remediations, and some are complex/nuanced & require code
1 reply 0 retweets 0 likes -
And none of these are relevant if apps don't check these new trust blobs, so the urgency is more philosophical than practical
1 reply 0 retweets 0 likes -
But yes, conclusion was something akin to "fixes go into moz::pkix in FF ASAP, RH/Moz try to work together to uplift to NSS"
1 reply 0 retweets 0 likes -
So the WoSign/StartCom issues I believe have someone from RH looking at how to 'uplift' into NSS proper, rather than moz::pkix
1 reply 0 retweets 0 likes -
Replying to @sleevi_
and uplifts to NSS is mostly useless to the greater ecosystem since the majority of the world is on OpenSSL =)
2 replies 0 retweets 0 likes
Why not use mozilla::pkix in curl? I did libcrypto + mozilla::pkix: https://github.com/briansmith/mozillapkix/pull/7 …. Just need the libssl part.
-
-
Replying to @BRIAN_____ @sleevi_
We _could_ but C++ limits the use quite drastically
0 replies 0 retweets 0 likesThanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.