Joshua Toon wrote: > I know that there are probably well thought out reasons that this > isn't a features already...BUT! Lot's of US Government users can't > use Firefox because it doesn't use the Windows certificate store.
Please explain why NSS's trusted root store doesn't work for them. Is it because Microsoft's builtin root store has some CAs that we don't? Or, is it because the US Government uses Windows' group policy stuff to add their own custom CAs to every PC, and we don't pick up those custom CAs. > Would anyone be totally opposed to adding this feature and having it > enabled via group policy? That would allow some IT shops to roll it > out with their preferred smart card middleware...like ActivClient. Or, is the problem that these users cannot use their smartcards (doing client authentication)? The most controversial thing would be to support using Microsoft's builtin root CA list instead of NSS's, even as an option. The compatibility problems due to our set not matching Microsoft's are painful but also people will object to the idea of switching to Microsoft's root list wholesale, because it hurts Mozilla's position at the negotiating table to improve CA-related policy stuff. That is something that is best discussed on dev.security.policy. I would very much welcome any assistance in getting better support for administrator-added root certificates into Firefox. I am not sure how we can, using Microsoft's APIs, distinguish roots that are trusted because they are built in Microsoft's built-in list from roots that are trusted because a user or sysadmin explicitly added then. If there is a way to make such a distinction, then I would gladly help with a feature that allowed us to seamlessly trust the sysadmin-/user-added roots in the Windows certificate database. I also think it would be *great* and (almost) totally non-controversial to add support for using CAPI/CNG instead of NSS for smartcard authentication on Windows, and I would welcome the patches and help push them along. (Chromium already has patches to allow NSS's libssl to do client authentication using CAPI smartcards, IIRC, and I would be glad to help integrate them into NSS upstream if there is somebody that wants to help with the Firefox UI integration with CAPI/CNG.) Cheers, Brian _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
