Re: [wpkops] Browser behaviour draft

Ben Wilson <> Thu, 24 July 2014 15:44 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id ED83B1A0387 for <>; Thu, 24 Jul 2014 08:44:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -4.203
X-Spam-Status: No, score=-4.203 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, RP_MATCHES_RCVD=-0.001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id iGImQHfWfzFk for <>; Thu, 24 Jul 2014 08:44:45 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7C2961A0266 for <>; Thu, 24 Jul 2014 08:44:45 -0700 (PDT)
From: Ben Wilson <>
To: Tim Moses <>, Gervase Markham <>, "" <>
Thread-Topic: [wpkops] Browser behaviour draft
Thread-Index: Ac+ms94oJr0mgv4pQF68oJysomSRsgAnvUSAAAcMiIAABnZboAAMsceA
Date: Thu, 24 Jul 2014 15:44:44 +0000
Message-ID: <>
References: <> <> <>
Accept-Language: en-US
Content-Language: en-US
x-originating-ip: []
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
Subject: Re: [wpkops] Browser behaviour draft
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 24 Jul 2014 15:44:52 -0000

We could add a clear statement in the document that says, "this document describes the state of the Web PKI circa 2013" or something like that.

-----Original Message-----
From: wpkops [] On Behalf Of Tim Moses
Sent: Thursday, July 24, 2014 6:42 AM
To: Gervase Markham;
Subject: Re: [wpkops] Browser behaviour draft

Hi Gerv.  It has to be "opportunity"; we all know that users don't possess the capability to manage security on their end systems.

Ooh!  I should put a smiley face after that.


We made a decision to record the state of Web PKI at a point in time.  (That being the end of 2013.)  The state is continuously evolving, and it would be a poor use of our time if we were to attempt to track it.  However, if completion is delayed much beyond the projected completion date, we may have to revisit that decision.

Thanks for your helpful input.

All the best.  Tim.

-----Original Message-----
From: Gervase Markham [] 
Sent: Thursday, July 24, 2014 5:21 AM
To: Tim Moses;
Subject: Re: [wpkops] Browser behaviour draft

Hi Tim,

On 23/07/14 21:22, Tim Moses wrote:
> Colleagues - I would like to advance the Browser Behaviour draft ...
> /
>  ... to WG draft.

This document (helpfully) states:

"This document reviews some of the certificate-processing features of the following cryptolibraries: Network Security Services (NSS), in two code sets, Classic (NSS-Classic) and PKIX (NSS-PKIX); ..."

However, as of two days ago, with the release of Firefox 31, Firefox switched to using mozilla::pkix for certificate verification:

You will need to decide whether to hold the document while you update it to take account of any changes.

I can tell you that mozilla::pkix also does not do AIA chasing.

"and most end users can manually add or remove root certificates"

Is that a statement about opportunity or capability? :-) Perhaps better
as: "most user agents give end users the opportunity to add or remove root certificates".

wpkops mailing list