Re: [wpkops] Browser behaviour draft

Gervase Markham <gerv@mozilla.org> Thu, 24 July 2014 09:20 UTC

Return-Path: <gerv@mozilla.org>
X-Original-To: wpkops@ietfa.amsl.com
Delivered-To: wpkops@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 435BE1A0020 for <wpkops@ietfa.amsl.com>; Thu, 24 Jul 2014 02:20:46 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.878
X-Spam-Level:
X-Spam-Status: No, score=-1.878 tagged_above=-999 required=5 tests=[BAYES_05=-0.5, HELO_MISMATCH_ORG=0.611, HOST_MISMATCH_COM=0.311, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bz6rO2gIE4TI for <wpkops@ietfa.amsl.com>; Thu, 24 Jul 2014 02:20:43 -0700 (PDT)
Received: from smtp.mozilla.org (mx1.corp.phx1.mozilla.com [63.245.216.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 644961A010F for <wpkops@ietf.org>; Thu, 24 Jul 2014 02:20:43 -0700 (PDT)
Received: from [192.168.0.101] (93.243.187.81.in-addr.arpa [81.187.243.93]) (Authenticated sender: gerv@mozilla.org) by mx1.mail.corp.phx1.mozilla.com (Postfix) with ESMTPSA id 3816BF2262; Thu, 24 Jul 2014 02:20:42 -0700 (PDT)
Message-ID: <53D0CFE7.6070102@mozilla.org>
Date: Thu, 24 Jul 2014 10:20:39 +0100
From: Gervase Markham <gerv@mozilla.org>
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: Tim Moses <tim.moses@entrust.com>, "wpkops@ietf.org" <wpkops@ietf.org>
References: <0986C055-3FA5-4EF9-8E3C-B8B9684FBAAE@entrust.com>
In-Reply-To: <0986C055-3FA5-4EF9-8E3C-B8B9684FBAAE@entrust.com>
X-Enigmail-Version: 1.7a1pre
OpenPGP: id=9DF43DBB
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: http://mailarchive.ietf.org/arch/msg/wpkops/m06s8D3TCMLoAf96DHurASrUGo0
Subject: Re: [wpkops] Browser behaviour draft
X-BeenThere: wpkops@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <wpkops.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/wpkops>, <mailto:wpkops-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/wpkops/>
List-Post: <mailto:wpkops@ietf.org>
List-Help: <mailto:wpkops-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/wpkops>, <mailto:wpkops-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 24 Jul 2014 09:20:46 -0000

Hi Tim,

On 23/07/14 21:22, Tim Moses wrote:
> Colleagues - I would like to advance the Browser Behaviour draft ...
> 
> http://datatracker.ietf.org/doc/draft-wilson-wpkops-browser-processing/
> 
>  ... to WG draft.

This document (helpfully) states:

"This document reviews some of the certificate-processing features of
the following cryptolibraries: Network Security Services (NSS), in two
code sets, Classic (NSS-Classic) and PKIX (NSS-PKIX); ..."

However, as of two days ago, with the release of Firefox 31, Firefox
switched to using mozilla::pkix for certificate verification:
https://blog.mozilla.org/security/2014/04/24/exciting-updates-to-certificate-verification-in-gecko/
https://www.mozilla.org/en-US/firefox/31.0/releasenotes/

You will need to decide whether to hold the document while you update it
to take account of any changes.

I can tell you that mozilla::pkix also does not do AIA chasing.

"and most end users can manually add or remove root certificates"

Is that a statement about opportunity or capability? :-) Perhaps better
as: "most user agents give end users the opportunity to add or remove
root certificates".

Gerv