Fwd: Re: Policy Update Proposal -- Remove Email Trust Bit
R Kent James
kent at caspia.com
Mon Oct 19 18:05:37 UTC 2015
TL;DR: Mozilla will keep supporting the email trust bit for now, but if
someone does not come forward with funding to fix the underlying issues
in certificate validation, it might get removed in future versions.
So we are on notice that S/MIME support in certificate infrastructure is
under threat, and someone needs to step up to the plate to fund this.
-------- Forwarded Message --------
Subject: Re: Policy Update Proposal -- Remove Email Trust Bit
Date: Mon, 19 Oct 2015 10:00:00 -0700
From: Kathleen Wilson <kwilson at mozilla.com>
To: mozilla-dev-security-policy at lists.mozilla.org
References: <S-OdneDp1tAagIDLnZ2dnUU7-fWdnZ2d at mozilla.org>
<mailman.3916.1444957185.18043.dev-security-policy at lists.mozilla.org>
Here's where I stand on this...
- I think it would be premature to remove the Email trust bit at this
point in time.
- I cannot spend any more time on the Email trust bit than I currently do.
- I think we should postpone (to a future version of the policy)
splitting the S/MIME policy into a separate document from the TLS
policy, because that will take extra effort. Someone else needs to
commit to leading the effort to create the S/MIME policy. When a
separate S/MIME policy exists, then we can do the full separation.
- I cannot commit to separating out the discussions for the Email trust
bit until there is a separate S/MIME policy, because separating out the
discussions means more work for me, for little or no benefit to the
community until there is a separate policy.
- I think we should keep status quo in regards to the Email trust bit
for now, and re-evaluate for the following version (e.g. 2.4) of
Mozilla's CA Certificate Policy. Part of that evaluation will be to take
into consideration what work has been done for the S/MIME policy and bug
fixing for S/MIME in NSS between now and then.
- We've heard (mostly anecdotally) that people depend on the Email trust
bit, yet (to my knowledge) no one has stepped up to commit resources to
fixing the issues that have been raised during this discussion.
Therefore, I'm OK with keeping things status quo for a bit longer, but
if no one steps up to do this work in the next year, then I will be less
inclined to continuing to support the Email trust bit.
Thanks again to all of you who thoughtful and constructively contributed
to this discussion.
More information about the tb-planning