Re: [wpkops] Browser behaviour draft

Tim Moses <> Thu, 24 July 2014 12:42 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BC2A81A0251 for <>; Thu, 24 Jul 2014 05:42:34 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.902
X-Spam-Status: No, score=-1.902 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PB2MylqBlNDt for <>; Thu, 24 Jul 2014 05:42:32 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F02341A024C for <>; Thu, 24 Jul 2014 05:42:31 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.01,724,1400040000"; d="scan'208";a="1571743"
Received: from unknown (HELO ([]) by with ESMTP/TLS/AES128-SHA; 24 Jul 2014 08:42:30 -0400
Received: from ([fe80::303b:8584:c6f4:be18]) by ([::1]) with mapi id 14.03.0195.001; Thu, 24 Jul 2014 08:42:31 -0400
From: Tim Moses <>
To: Gervase Markham <>, "" <>
Thread-Topic: [wpkops] Browser behaviour draft
Thread-Index: Ac+ms94oJr0mgv4pQF68oJysomSRsgAjjGKAAAGHQDA=
Date: Thu, 24 Jul 2014 12:42:29 +0000
Message-ID: <>
References: <> <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Subject: Re: [wpkops] Browser behaviour draft
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Jul 2014 12:42:34 -0000

Hi Gerv.  It has to be "opportunity"; we all know that users don't possess the capability to manage security on their end systems.

Ooh!  I should put a smiley face after that.


We made a decision to record the state of Web PKI at a point in time.  (That being the end of 2013.)  The state is continuously evolving, and it would be a poor use of our time if we were to attempt to track it.  However, if completion is delayed much beyond the projected completion date, we may have to revisit that decision.

Thanks for your helpful input.

All the best.  Tim.

-----Original Message-----
From: Gervase Markham [] 
Sent: Thursday, July 24, 2014 5:21 AM
To: Tim Moses;
Subject: Re: [wpkops] Browser behaviour draft

Hi Tim,

On 23/07/14 21:22, Tim Moses wrote:
> Colleagues - I would like to advance the Browser Behaviour draft ...
> /
>  ... to WG draft.

This document (helpfully) states:

"This document reviews some of the certificate-processing features of the following cryptolibraries: Network Security Services (NSS), in two code sets, Classic (NSS-Classic) and PKIX (NSS-PKIX); ..."

However, as of two days ago, with the release of Firefox 31, Firefox switched to using mozilla::pkix for certificate verification:

You will need to decide whether to hold the document while you update it to take account of any changes.

I can tell you that mozilla::pkix also does not do AIA chasing.

"and most end users can manually add or remove root certificates"

Is that a statement about opportunity or capability? :-) Perhaps better
as: "most user agents give end users the opportunity to add or remove root certificates".