Root Certificates in Firefox OS (was Re: NSS in Firefox OS)

[Rob Stradling]

On 20/10/12 18:33, Brian Smith wrote:
<snip>
> B2G (Firefox OS) does use NSS.

Brian,

I presume that Firefox OS trusts NSS's "Built-in" Root Certificates [1],
but what (if anything) does Firefox OS do for EV SSL?

Does Firefox OS import PSM's list of EV-enabled Root Certificates? [2]

Thanks.


[1]
https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt

[2]
https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsIdentityChecking.cpp

<snip>

--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

[Rob Stradling]

On 18/04/13 13:54, Rob Stradling wrote:
> On 20/10/12 18:33, Brian Smith wrote:
> <snip>
>> B2G (Firefox OS) does use NSS.
>
> Brian,
>
> I presume that Firefox OS trusts NSS's "Built-in" Root Certificates [1],
> but what (if anything) does Firefox OS do for EV SSL?
>
> Does Firefox OS import PSM's list of EV-enabled Root Certificates? [2]

https://bugzilla.mozilla.org/show_bug.cgi?id=787155#c10 seems to answer
my question.

"...B2G doesn't have an EV indicator anyway".

[Brian Smith]

Rob Stradling wrote:
> > I presume that Firefox OS trusts NSS's "Built-in" Root Certificates
> > [1], but what (if anything) does Firefox OS do for EV SSL?

As you found, Firefox OS doesn't have an EV UI, and in fact I just disabled the EV validation logic in B2G for performance reasons, given that it was wasted effort without a UI.

> > Does Firefox OS import PSM's list of EV-enabled Root Certificates?
> > [2]

It did, but I just disabled that since it wasn't being used for anything.

Note that this wasn't a policy decision. It could be that we will have an EV indicator in the future on B2G. I expect we will eventually try to make all our products consistent, one way or another.

Cheers,
Brian