Duane wrote re discouraging users from modifying the default cert database:
There was a bug on bugzilla for this and it has since been marked won't fix...
https://bugzilla.mozilla.org/show_bug.cgi?id=276827
You should also have a look at:
https://bugzilla.mozilla.org/show_bug.cgi?id=267515
Note that I'm *not* in favor of totally locking users out from accepting new CA certs or server certs as valid. Rather what I would like to see us eliminate is forcing such decisions on naive users by presenting them with warning dialogs that have to be clicked through to proceed. That's why I think connecting to sites with self-signed certs or sites with certs from unknown CAs should *not* cause warning popups, but should include informational messages by which users who wanted to could get more information and the opportunity to accept new server or CA certs.
Adding a new cert could be a menu item right off an informational message dropdown menu (probably more suitable for adding a self-signed server cert), or could be on a subsequent dialog box; the main point is that users wouldn't have to do anything, they could just view the page and not worry about having to answer questions they don't necessarily understand.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
