As discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=1606802 and https://phabricator.services.mozilla.com/D60382 Firefox currently does not let users fully untrust a root CA provided by Mozilla. Event though the Certificate Manager allows to Edit Trust of a CA and then remove the trust bits, this does not work for sites in the HTTP Strict Transport Security (HSTS) preload list and sites that use HTTP Public Key Pinning (HPKP). For those sites Firefox ignores security exceptions that have been manually added to the Certificate Manager in the Servers tab.
Section "12.1. No User Recourse" of RFC 6797 states that the user should not be presented with a UI to proceed or click through warning/error dialogs. That makes sense to me and Firefox abides to this. However, RFC 6797 does not state or imply that exceptions manually added by the user should be ignored and that the only way to visit a HSTS site should be to fully trust the root CA at the top of the certificate chain. I believe Firefox should allow the end user to ultimately control which entities to trust. If a user decides to no longer trust a root CA the user should be allowed to manually add certificates for servers she wants to visit. Please accept patch D60382 to make this possible again. Kind regards, Richard van den Berg -- dev-tech-crypto mailing list firstname.lastname@example.org https://lists.mozilla.org/listinfo/dev-tech-crypto