Account Options

  1. Sign in
The old Google Groups will be going away soon, but your browser is incompatible with the new version.
Google Groups Home
« Groups Home
mozilla.dev.security.policy
+ new post
About this group
Subscribe to this group
This is a Usenet group - learn more
Message from discussion New wiki page called CA:Root_Change_Process
The group you are posting to is a Usenet group. Messages posted to this group will make your email address visible to anyone on the Internet.
Your reply message has not been sent.
Your post was successful
 
From:
To:
Cc:
Followup To:
Add Cc | Add Followup-to | Edit Subject
Subject:
Validation:
For verification purposes please type the characters you see in the picture below or the numbers you hear by clicking the accessibility icon. Listen and type the numbers you hear
 
Nelson B  
View profile  
 More options Feb 4 2010, 11:49 pm
Newsgroups: mozilla.dev.security.policy
From: Nelson B <nel...@bolyard.me>
Date: Thu, 04 Feb 2010 20:49:41 -0800
Local: Thurs, Feb 4 2010 11:49 pm
Subject: Re: New wiki page called CA:Root_Change_Process
Print | View thread | Show original | Report this message | Find messages by this author
David,  I'm going to try to address all your questions without specifically
answering any one of them, by trying to give you a simple explanation of
how this all works, a simple model that you can carry in your head, with
which you should find all Mozilla products' behaviors to be consistent.
When you understand this model, you should find that you are able to answer
your own questions intuitively from your own understanding of this model.

For simplicity, I will assume the basic and most common configuration, in
which you have only the software distributed by Mozilla and do not have any
additional PKCS#11 modules (with or without any additional hardware)
installed that may be capable of storing additional certificates.  The
model with them is slightly more complicated than the one I'm about to
present, but only slightly.

NSS is capable of accessing certificates that have been stored in a number
of places, all accessible through the PKCS#11 API.  The two places of
greatest interest are

#1) Your certificate database, which is kept in a file on disk that you can
alter.  It starts out empty.  Any root certificates it contains are there
because of actions that you have taken, such as downloading or importing
roots, or editing trust flags.  As a rule, an update to your Mozilla
installation of a Mozilla product will not change the contents
of this database.  (Rarely, it may change the FORMAT of the database, but
not the content.)

#2) Mozilla's trusted root list, kept in a read-only shared library which
is one of the files that gets updated whenever your product's executable
files get updated.

Both of these stores of certificates may contain certificates and trust
flags.

When NSS goes looking for a stored certificate, or trust flags for a stored
certificate, it first looks in your certificate database.  If it finds the
certificate there, it stops.  It uses whatever trust flags are there in
that database with that certificate.

If it does NOT find the certificate it wants in that database, it looks in
Mozilla's trusted root list.  If it finds the cert there, then it uses the
cert and trust flags it finds there.  It does not copy the cert and flags
from the root list into your database.  It just uses them where and as they
are.

When you use your product's certificate manager to edit the trust flags on
a certificate, the cert manager first looks for the cert in your database,
and if it's there, then that copy gets edited.  If it's not there, then
cert manager looks for a copy in the trusted cert list, and if found,
copies it and its flags into your data base, and then edits it there.
(After all, it cannot edit the copy in Mozilla's list, because that copy
is read-only.)  After that, that cert will remain in your database, and
each time that the product goes looking for it, it will find it in your
database, not in the trusted list.

If you delete a cert in your database, one that is also in the trusted
list, it may appear to be completely gone, until you restart your program,
at which point it will reappear, because it never left the trusted root
list.  It may reappear in the trusted root list with the trust flags from
that list.  That's why we tell people that if they want to get rid of a
root, the thing to do is NOT to delete it, but rather is to take away all
its trust.  (The behavior when a cert is deleted has changed a few times
over the years.)

If you edit the trust on a cert in the root list, taking away (say) one of
the 3 trust flags, but leaving the other two, then that cert and the two
trust bits will be in your cert DB.  After that, if Mozilla removes that
cert completely from Mozilla's trust list, it will remain in your cert DB
with those two trust flags.  Mozilla's changes to the default trust list
never affect your databases.  Your databases contain what YOU put there.
They're your baby, your responsibility.

In conclusion, the changes Mozilla makes to Mozilla's read-only list of
trusted root certs affect only those certs that do not also appear in your
cert DB.  When you cause copies of any of those certs to appear in your
cert DB, then you have taken control of the trust for those copies, and
changes made by Mozilla thereafter to those certs will not affect you.


 
You must Sign in before you can post messages.
To post a message you must first join this group.
Please update your nickname on the subscription settings page before posting.
You do not have the permission required to post.
Create a group - Google Groups - Google Home - Terms of Service - Privacy Policy
©2013 Google