On 3/5/11 3:22 PM, Nelson B Bolyard wrote:
Brian Smith wrote:
"Ritmo2k" wrote:
Anyone know if its possible to configure Firefox to implicitly trust
all certificate authorities installed in the Windows Trusted Root
Certification Authorities Store?
Firefox does not support this yet. See:
https://bugzilla.mozilla.org/show_bug.cgi?id=454036
https://bugzilla.mozilla.org/show_bug.cgi?id=390221
There's an unfinished set of code in Mozilla's CVS repository that
implements a PKCS#11 module on top of MS CAPI, enabling access to certs
and keys in Windows' cert and key stores. Read about it in
http://mxr.mozilla.org/security/source/security/nss/lib/ckfw/capi/
There are some pretty major security implications to doing something
like this. Windows does not have a static list of root certs in the
Root Store. Instead, it dynamically "phones home" to Microsoft to
checdk for root certs when a user tries to use an end-entity cert that
chains up to an unknown root cert. Microsoft also adds new root certs
without any meaningful end-user notice. The end result is that there is
no way for you to predict what will be in your trusted list.
On 3/4/11 9:46 PM, Brian Smith wrote:
In theory you could write a script that exports all the CA certificates from
the Windows certificate store and then uses those tools to import them into
the user's certificate database. But, you would have to run it individually
each for user. And, you would not be able to run it while Firefox is running.
You can also manually export the CA certificates from the Windows certificate
store as individual files and then import them into Firefox manually using
Tools -> Options -> Advanced -> View Certificates -> Import.
This will only give you the state of your local cache of a subset of the
Microsoft-approved certs. If you wanted Firefox to behave like Chrome
or IE you would have to trigger the "phone home" upon encountering an
unknown root cert.
The larger question is why this is seen as "better." More root certs
does not equal better security, and there's no evidence that the
Microsoft process for approving roots is "better" than the Mozilla one.
Reference:
http://support.microsoft.com/kb/931125
"Root certificates on Windows Vista and later are distributed via the
automatic root update mechanism – that is, per root certificate. When a
user visits a secure Web site (by using HTTPS SSL), reads a secure email
(S/MIME), or downloads an ActiveX control that is signed (code signing)
and encounters a new root certificate, the Windows certificate chain
verification software checks Microsoft Update for the root certificate.
If it finds it, it downloads the current Certificate Trust List (CTL)
containing the list of all trusted root certificates in the Program, and
verifies that the root certificate is listed there; it then downloads
the specified root certificate to the system and installs it in the
Windows Trusted Root Certification Authorities Store. If the root
certificate is not found, the certificate chain is not completed, and
the system returns an error. To the user, a successful root update is
seamless. The user does not see any security dialog boxes or warnings.
The download happens automatically."
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
