Closed Bug 692248 Opened 13 years ago Closed 8 years ago

Add interface for selecting a different list of trusted Certificate Authorities

Categories

(Core Graveyard :: Security: UI, enhancement)

Product:
Core Graveyard
Component:
Security: UI
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: kathleen.a.wilson, Unassigned)

References

Details

Currently Mozilla products such as Firefox and Thunderbird come with a default set of trusted Certificate Authorities. There does not appear to be a way for a user to easily select a different list of trusted Certificate Authorities, such as one provided to employees by their company. From postings in m.d.s.policy: it's generally viewed as a bad idea to use public CAs to sign certs for enterprise applications/servers/devices (enterprise doesn't control actions of the CA). But, the pain of updating all browsers and other relying parties with an enterprise root list today ... I've seen several customers go with the public CA route anyways. ... the lack of an easy way to manage FF's trust lists in a centralized fashion makes it tempting to use certs issued by a public CA for internal use. An enhancement which permitted FF to use externally specified root lists would eliminate motivation to use publicly issued certs for internal use only. Note: This enhancement would not solve the case where in-premise enterprise sub-CAs chain to a root in NSS in order to have better interoperability with their customers and business partners.
Some of the pieces for this may already exist in code: https://groups.google.com/group/mozilla.dev.security/browse_thread/thread/f8afac1eef7cb4cd/3c6745b5dee31b00#5596694c6381a9ae It should be noted that this is not just a feature for enterprise users, but has the potential to be used by anyone on the internet who wants to maintain a root list for the benefit of themselves and others... akin to something like an AdBlock list: https://adblockplus.org/en/subscriptions If current in-premise enterprise sub-CAs wish to have interoperability with their customers and business partners, those entities can likewise subscribe to the approved root list.
See Also: → 644640
(In reply to Kathleen Wilson from comment #0) > But, the pain of updating all browsers and other relying parties with an > enterprise root list today ... I've seen several customers go with the > public CA route anyways. ... the lack of an easy way to manage FF's trust > lists in a centralized fashion makes it tempting to use certs issued by a > public CA for internal use. An enhancement which permitted FF to use > externally specified root lists would eliminate motivation to use > publicly issued certs for internal use only. Mozilla implementing this enhancement request shouldn't be seen as a prerequisite that must be satisfied before changes to the policy are made. It is already possible to automate the import/export of alternate roots using the NSS certutil utility and some scripting. I propose we solve this problem by changing PSM to use the operating system root CA store.
See e.g. bug 1265113 for the work we're doing in this area. At this time I don't see us supporting replacing the Mozilla CA store, though.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.