Closed Bug 561036 Opened 14 years ago Closed 8 years ago

Certificate manager should link to Mozilla CA approval documentation

Categories

(Core :: Security: PSM, enhancement)

Product:
Core
Component:
Security: PSM
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: matt, Unassigned)

References

(Depends on 1 open bug)

Details

The Authorities tab of the certificate manager lists the built-in CA certificates approved by Mozilla and possibly others added by the user.  Each built-in certificate should be linked in some manner to documentation of
its approval for inclusion in Mozilla products.  From the link, users should be able to confirm the continued approval of the root and view the documentation submitted by the CA as well as the public discussion in the newsgroup.

This will constitute a huge increase in the transparency of the Mozilla CA approval process to ordinary users and will add credibility to the claim often repeated in mozilla.dev.security.policy that users are ultimately responsible for making their own trust decisions after reviewing available documentation.

For UI, I suggest adding the following to the "Edit CA certificate trust settings" dialog for built-in certificates, with a link as marked:

"The default trust settings for this certificate are the result of Mozilla's public CA approval process.  You are encouraged to review _the Mozilla approval documentation and discussion_ and consider any other factors relevant to you in deciding whether you personally trust this CA."
What, I managed to file two consecutively numbered bugs?  :D
Depends on: 561035
Assignee: kaie → nobody
I support doing this, it's not something that every user will see (so it doesn't annoy users who don't have the proficiency to use it), but for those who are going to be looking at this level of details about a CA in the certificate Manager, it's a good reference. 

But maybe there needs to be first a Mozilla.org/CA Certificates bug about the question of doing it or not, and *then* a Core/Security:PSM bug about the way to implement it ? Kaie is not going to take a decision whether or not to do that.
Any user who really cares about such things and understands what this all means should already know about "BuiltInCAs-March-2010" at <http://spreadsheets.google.com/pub?key=ttwCVzDVuWzZYaDosdU6e3w&single=true&gid=0&output=html> and "Included Certificate List" at <http://www.mozilla.org/projects/security/certs/included/>.  The latter lists those root certificates included in the NSS database under the current procedures.  As "legacy" root certificates become subject to the requirement of reviews of their updated audits, I would expect them to be added to the latter.
Except the spread sheet isn't terribly helpful (the word "rapidssl" doesn't even occur on it). It's also several steps of indirection away (the more hoops you make people go through the less likely they are to succeed or bother finishing). I vote we simply add a link to the current website of the certificate holder, ideally to their CPS for that certificate.
RapidSSL is not a CA, but an RA of GeoTrust. But there is a designated section (Certificate Policies) in x.509 certificates designed for user notification and pointers to the CP/CPS. Some browsers have a button in the certificate viewer which allows to see the notification and links to the CP/CPS. Maybe that would be worth implementing.
I disagree with David E. Ross' comment that any user who cares about this should already be aware of the relevant pages.  I think there's an inherent benefit to adding this functionality, because many previously unaware users will be prompted to better understand the approval process.
I believe this is being implemented as part of the certificate manager add-on project: https://github.com/sidstamm/FirefoxCertificateManager
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.