271695 - Automatic updating of trusted root authorities

Status: RESOLVED WORKSFORME

(Core Graveyard :: Security: UI, enhancement)

Description

[Henrik Gemal]

From:
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/sag_cmautorootupdt.mspx
"In Windows XP, you can use the Update Root Certificates function for this. When
you install Windows XP, Update Root Certificates is turned on by default. With
this feature turned on, if you are presented with a certificate issued by an
untrusted root authority, your computer will contact the Windows Update Web site
to see if Microsoft has added the CA to its list of trusted authorities. If it
has been added to the Microsoft list of trusted authorities, its certificate
will automatically be added to your trusted certificate store"

This is pretty smart I think. Perhaps the update.mozilla.org site could hold the
list of trusted root certificates and NSS could be made into handling such stuff?

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

This is an enhancement request for PSM, IMO.  

Comment 2

[Kai Engert (:KaiE:)]

We should of course not get our list of trusted certs from Microsoft ;-)

Automatic updating of trusted root certs seems, in general, very reasonable to me.
This should not be limited to adding new authorities, but in addition could be
used to remove authorities that have turned out to be not trustworthy.

However, this feature would have to be carefully designed, to only allow the
mozilla.org site to drive the installation / removal of authority certs, and not
allow anybody else to do it.

Comment 3

[Dana Keeler (she/her) (use needinfo) [:keeler]]

We might eventually do this with kinto, but for now updating the browser itself is sufficient (also, we have the blocklist, so we can revoke roots if we need to).