Closed Bug 476807 Opened 16 years ago Closed 15 years ago

Remove SSL Step Up trust bits for all roots in root store

Categories

(NSS :: Libraries, enhancement, P3)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.12.7

People

(Reporter: gerv, Assigned: nelson)

Details

Attachments

(1 file)

Patch v1 for NSS trunk
3.17 KB, patch
KaiE
: review+
Details | Diff | Splinter Review
Further to the discussion in m.d.t.crypto: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/2fed0a354e91d4e1?q=Server+Gated+Cryptography I think we should remove the SSL Step Up trust bits for all roots in the store. Anyone still using "It supports SGC/Step Up" as a marketing mechanism is either a) encouraging the use of long-outdated, insecure and standards-incompliant browsers, or b) using FUD. Neither is to be encouraged. I agree that this move is not necessary from a technical point of view but we can send a message that this is bad by allowing people to say "Firefox no longer supports Step Up". Gerv
BTW, by "trust bits" I mean markings, OIDs, whatever is used. Gerv
Nelson: is this something the NSS team agrees is a reasonable thing to do? Gerv
Firefox hasn't supported SSL step-up for about 10 years now. It was only supported in "export" browsers, which Mozilla hasn't produced for ~10 years. The code is still there, but it's dead. The trust flags for step up certs are still there, but have no effect, and are invisible, as they have always been (AFAIK). You could remove those bits, but it would have absolutely no user-visible effect (AFAIK). AFAIK, the only way to tell which roots were trusted for SSL step up was to read the source. I would prioritize the work to remove those trust bits about dead last. I'd give higher priority to removing the dead code that honors them in export browsers (which we haven't made in 10 years). But mostly, I think this is unworthy of any action at all at this time. The list of truly worthy tasks is long. One must ask "which of the truly worthy coding tasks should I delay while I do this unrewarding task?".
The benefit to remove this code would be to prevent perhaps making claims by some certification authorities regarding false enhanced security benefits which don't exist with SGC. This could be a worthy task nevertheless.
From what Nelson says, I agree that there is no technical merit in removing this code or these markings. But Eddy is right: if CAs were able to say "Firefox no longer supports SGC/Step-Up" that might help to dispel some of the FUD that it's absolutely necessary. I agree we are fighting suspect marketing with more marketing, but still... Is removing the relevant trust bits a complex operation, or is it ten minutes with an editor's Find function and the text version of the cert store? Gerv
> if CAs were able to say "Firefox no longer supports SGC/Step-Up" They can say that now, today. It's been true for years. (BTW, NSS _NEVER_ supported SGC, which is not the same as Step-Up) > Is removing the relevant trust bits a complex operation, [...]? cd security/nss/lib/ckfw/builtins vi certdata.txt :g/CKA_TRUST_STEP_UP_APPROVED/s/TRUE/FALSE/ :wq gmake generate cvs commit -m "Bug 476807: Death to Step-Up, r=nelson"
Summary: Remove SSL Step Up ("SGC") trust bits for all roots in root store → Remove SSL Step Up trust bits for all roots in root store
nelson: sounds great! (I was wondering whether you actually did it or not, but http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/security/nss/lib/ckfw/builtins/certdata.txt&rev=HEAD&mark=1.58 suggests you haven't yet.) Gerv
Cheekily assigning to nelson... Gerv
Assignee: nobody → nelson
To avoid huge merge collisions, I'll wait until Kai has committed his numerous patches to this file, and then I'll run the above script and have him review the patch.
Severity: normal → enhancement
Priority: -- → P3
Target Milestone: --- → 3.12.7
Version: unspecified → trunk
I'm done.
Kai, please review. Thanks.
Attachment #435961 - Flags: review?(kaie)
Comment on attachment 435961 [details] [diff] [review] Patch v1 for NSS trunk r=kaie You've changed all 8 occurrences that have step-up set to true. (I'm sure you'll run "gmake generate" before you hit commit)
Attachment #435961 - Flags: review?(kaie) → review+
Bug 476807: Remove SSL Step Up trust bits for all roots in root store r=kaie Checking in certdata.c; new revision: 1.66; previous revision: 1.65 Checking in certdata.txt; new revision: 1.63; previous revision: 1.62
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: