Jean-Marc Desperrier wrote:
Nelson Bolyard wrote:
moz used to automatically store a copy of all certs it received in
emails,
regardless of whether they were or were not useful for encryption, and
mozilla would store certs with invalid signatures, or signed by untrusted
CAs, etc. That was bad becase an bad cert could "poison" the cert store.
So, now mozilla only stores other people's certs that (a) are valid
for encryption, and (b) were issued by valid CAs. It does this
automatically.
And how do you import a cert issued by a non-recognised CA ?
The best answer is to trust the CA, not the end-user cert.
mozilla SHOULD NOT *automatically* import those certs (as it did before),
but it SHOULD give the user the option to import it. Likewise,
The CA should have a simply way for users to download and trust their
CA certs.
I think I filled/commented an entry in bugzilla about manually trusting
cert issued by non-recognized CA.
This change makes the functionnality even more needed, if we agree that
trusting the cert should import it and make it available to send
encrypted mail if applicable.
The problem is that PSM is unstaffed. The crypto part of mozilla is
made up of two components, NSS and PSM. NSS is the actual crypto library
and it used by many products, including mozilla. PSM is the mozilla
browser/email's "glue' that interfaces to NSS, and also provides all the
UI (dialogs) related to crypto. NSS is staffed by people at AOL and Sun,
because they have other products that use it. PSM is not staffed.
Now that NSS no longer automatically imports untrusted certs, PSM should
be enhanced to give the user that choice. But as I said, PSM is unstaffed
and sorely in need of volunteers.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
