So ... you're saying that Mozilla should not allow changes to the root list?
... not allow additions to be made in the field on a running browser. I think most users would be best served by that policy, yes. Most users will never in their lives need to add a new CA, or know what a CA is. Therefore the ability to add a CA is for them mostly risk, mostly a chance to do the wrong thing.
I agree with you that user-initiated changes to the built-in CA root list should be discouraged; see below for more on that. But I thought in the scenario you're talking about the users were explicitly installing new software obtained from someone else (e.g., an ISP)? In that case the installation program could simply overwrite all the Mozilla/NSS code with whatever new code it wanted, including a new root CA list, regardless of what our policy says or what protections are implemented in our standard products.
Now back to user changes to the root CA list. I'll first remind you that I don't have direct influence over the Firefox/Thunderbird UI, so this is just me speculating out loud and nothing more, at least at present.
I don't believe that the standard versions of Firefox and Thunderbird should completely disable the ability of users to make changes to the root CA list; this is a useful capability for knowledgable users, and IMO those users shouldn't have to compile Firefox from source or install a Firefox extension in order to do this.
However I do think that more could be done to discourage users from naively making such changes. In particular:
* As I've already proposed, we should arguably modify or completely remove SSL warning dialogs that offer to let users accept new CA certs, and don't offer users that choice unless it's through a menu item that they have go out of their way to explicitly select.
* I think we should also consider removing the ability to click on a link pointing to a CA cert and have an import dialog pop up. An alternative approach would be to force the CA cert to be saved to disk, with the user then having to do an explicit "import certificate" operation from the appropriate preferences dialog.
IIRC this suggested approach is similar to that taken by Firefox for downloaded native executable files (e.g., *.exe files for Windows). There would still be some people who would blindly follow instructions to download a CA cert and install it, just as there are people who would blindly follow instructions to download a .exe and run it, but at least it limits the possibility of users accidentally doing these things.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
