On Wednesday, January 22, 2020 at 8:29:23 AM UTC-7, Richard van den Berg wrote:
> As discussed in https://bugzilla.mozilla.org/show_bug.cgi?id=1606802 and
> https://phabricator.services.mozilla.com/D60382 Firefox currently does
> not let users fully untrust a root CA provided by Mozilla. Event though
> the Certificate Manager allows to Edit Trust of a CA and then remove the
> trust bits, this does not work for sites in the HTTP Strict Transport
> Security (HSTS) preload list and sites that use HTTP Public Key Pinning
> (HPKP). For those sites Firefox ignores security exceptions that have
> been manually added to the Certificate Manager in the Servers tab.
>
> Section "12.1. No User Recourse" of RFC 6797 states that the user should
> not be presented with a UI to proceed or click through warning/error
> dialogs. That makes sense to me and Firefox abides to this. However, RFC
> 6797 does not state or imply that exceptions manually added by the user
> should be ignored and that the only way to visit a HSTS site should be
> to fully trust the root CA at the top of the certificate chain.
>
> I believe Firefox should allow the end user to ultimately control which
> entities to trust. If a user decides to no longer trust a root CA the
> user should be allowed to manually add certificates for servers she
> wants to visit.
>
> Please accept patch D60382 to make this possible again.
>
> Kind regards,
>
> Richard van den Berg
Hi Richard,
Just to acknowledge, we're talking this through (and my comments on the patch)
internally, but since we're all packing up for our All Hands meeting in Berlin
next week we haven't had enough time to reason through the threat-model here.
We're going to talk this through though, and please feel free to ping if I
don't seem to get back to it fast enough.
Thanks for being involved, and sorry for the delay!
J.C.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
