On Tue, May 16, 2017 at 10:42 AM, Jakob Bohm via dev-security-policy <
dev-secur...@lists.mozilla.org> wrote:
>
> I suggest you read and understand the OP in this thread, which is
> *entirely* about using the Mozilla Root Store outside Mozilla code.
>
Hi Jakob,
Could I echo Alex's request that you be more considerate in your replies?
I've attempted to remain positive in engaging with you, but I think both
your tone and your message continue to come off in a way that's not
conducive towards progress.
For example, here, you're implying I have not read the messages before
posting. That's not assuming good faith.
Yet you keep posting noise about using the Mozilla store with Mozilla
> code such as NSS, with Mozilla internal database formats, etc. etc.
>
This is also a rather insulting message, because here, you're entirely
disregarding the message on the basis that it's "noise". It's entirely
within the scope - as both a Mozilla module peer and as an NSS contributor
- to point out what is relevant and already expressed by Mozilla, so that
consumers of the Mozilla Root Store outside of Mozilla code can address.
Further, both the NSS and Mozilla Root Store have a policy regarding this,
that policy has been pointed out, and while certainly, good faith
engagement is being made to help Cory achieve his goals, it's also worth
reiterating that what is specifically being requested - e.g. what you
consider everything else but to be 'noise' - is out of scope.
> Just above you commented "Not all such requirements can be expressed as
> code", which is completely backwards thinking when the request is for
> putting all additional conditions in an open database in a *stable*
> data format that can be easily and fully consumed by non-Mozilla code.
I'm aware of what that request is. That request has been responded to -
several times - as out of scope. I would argue that continuing to belabor
that point - when it's been responded to in good faith - might arguably be
considered noise, but I'm trying to engage with you productively, rather
than being demeaning, insulting, and dismissive, as you are with me.
I realize you may feel it's backwards thinking. If that's the case, perhaps
your time is better spent on other projects that might be more aligned with
your thinking. That's the exciting joy of open-source - no one is forcing
you to use it or to participate in these discussions. If your goal is to
help convince others to your way of thinking, might I suggest that phrases
such as "noise", "backwards thinking", and "I suggest you read and
understand" are, as oratory techniques and as forms of debate, more likely
to get you written off than to win others to your way of thinking?
I think it's worth reiterating the responses here, perhaps in summary form,
so you can perhaps see what is being discussed.
1) NSS already exposes constraints via certdata.txt.
- This is the root store source of truth. This is what non-Mozilla code
is using to generate their application-specific stores. Applications
constructing their own root store _already_ use this format - for example,
https://curl.haxx.se/docs/mk-ca-bundle.html . It's up to those applications
- not Mozilla - to determine how to best coerce those expressions into a
form suitable for their application.
2) NSS does not expose/export its root store out of NSS.
- It's open source. You're free to take it and use it. You're free to
request that it is exposed. However, as noted in
https://wiki.mozilla.org/CA:FAQ#Can_I_use_Mozilla.27s_set_of_CA_certificates.3F
, this is out of scope.
3) I proposed a path to reduce the need for such expressions of 'limited
trust'.
- This path works for both Mozilla and non-Mozilla applications. This
path works for applications that update and those that do not. The entire
purpose of this proposal is to reduce the need to maintain such expressions
of limited trust, by providing greater flexibility towards distrusting
problematic infrastructure, while still supporting existing and legacy
clients.
While your participation here in m.d.s.p. has been varied, and at many
times, technically and factually incorrect, I do hope you can find more
productive and constructive ways of expressing your feelings.