Julien Pierre wrote:
marcel wrote:
Hi all,
As I've seen Microsoft has a "automatic root cert update" program to update the trusted root store.
AFAIK, that feature is only in WinXP, and then only ones with recent OS updates.
>> (I dont really like that, but I think
it has some advantages for the "normal" user that doesnt know anything about PKI).
I have some question about the trusted root certs in Mozilla (NSS). What happens if one of the built-in root certs expires? Is there a similar automatic update, some process to ensure each user can renew the cert securely?
No. You have to update your browser manually, through the same insecure means that you use today.
I would have said:
When you update your browser, you get the newest root cert list. You can also add new root certs yourself. But there is not presently any automatic update for mozilla root CAs.
I'm wondering if that wouldnt be a nice feature to do something similar as MS's solution; not fully automatical but instead e.g. having a website where a user can have a look whether a newly encountered cert is trustworthy or not.
Why? - Today when a web site (e.g. a spoofed version of your online bank) presents a rogue cert, you're asked if you trust that. I believe most users just click yes: They dont know enough to decide on their own, so they're up to the informations they get - from the web site asking to install the cert!
In this view, MS's solution is like consulting a trusted third party (MS), and I think thats what the user needs in such a situation to decide accurately.
In my opinion, a link inside the "do you want to trust this certificate?"-dialogue to a mozilla web site listing the different CA's and their status of trustworthiness would be a nice feature.
What do you think about this?
/marcel
btw, I'm speaking for myself only; doing my diploma thesis on these kind of things (rogue CA).
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
