As discussed in and Firefox currently does
not let users fully untrust a root CA provided by Mozilla. Event though
the Certificate Manager allows to Edit Trust of a CA and then remove the
trust bits, this does not work for sites in the HTTP Strict Transport
Security (HSTS) preload list and sites that use HTTP Public Key Pinning
(HPKP). For those sites Firefox ignores security exceptions that have
been manually added to the Certificate Manager in the Servers tab.

Section "12.1. No User Recourse" of RFC 6797 states that the user should
not be presented with a UI to proceed or click through warning/error
dialogs. That makes sense to me and Firefox abides to this. However, RFC
6797 does not state or imply that exceptions manually added by the user
should be ignored and that the only way to visit a HSTS site should be
to fully trust the root CA at the top of the certificate chain.

I believe Firefox should allow the end user to ultimately control which
entities to trust. If a user decides to no longer trust a root CA the
user should be allowed to manually add certificates for servers she
wants to visit.

Please accept patch D60382 to make this possible again.

Kind regards,

Richard van den Berg

dev-tech-crypto mailing list

Reply via email to