desktop-packages team mailing list archive

Thread
Date
[Bug 543183]

To: desktop-packages@xxxxxxxxxxxxxxxxxxx
From: Ubuntu QA's Bug Bot <bug-stats@xxxxxxxxxxxxxxx>
Date: Fri, 09 Sep 2011 18:06:24 -0000
Reply-to: Bug 543183 <543183@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
The attachment "F14 1.9.2 patch to allow use of system certificate
store" of this bug report has been identified as being a patch.  The
ubuntu-reviewers team has been subscribed to the bug report so that they
can review the patch.  In the event that this is in fact not a patch you
can resolve this situation by removing the tag 'patch' from the bug
report and editing the attachment so that it is not flagged as a patch.
Additionally, if you are member of the ubuntu-sponsors please also
unsubscribe the team from this bug report.

[This is an automated message performed by a Launchpad user owned by
Brian Murray.  Please contact him regarding any issues with the action
taken in this bug report.]

-- 
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/543183

Title:
  Updating system certificates requires rebuild

Status in The Mozilla Firefox Browser:
  Confirmed
Status in “firefox” package in Ubuntu:
  Triaged
Status in “firefox” package in Fedora:
  Unknown

Bug description:
  Binary package hint: firefox

  Hi,
  Updating the list of trusted root certificate authorities across all users of a system seems requires rebuilding a library. Non-root certificates may similarly be impacted.

  update-ca-certificates could be a mechanism  to update the root
  certificates used by firefox.

  On a corporate install of firefox, currently the only options to adding an internal root certificate authority are to:
     * Hack it into the user creation script to extract a pre-created profile, and update all the existing users profile directory. This bypasses the random profile directory creation.
     * Re-compile the shared library (.so) containing the root certificate authorities (extra maintenance for dealing with ubuntu package updates).
     * Have every user of the system go through a manual process of adding the root certificate (most users don't know how).
     * Use a plugin extension for firefox (do any exist?) that is automatically used by all users (can this be done?)
     * Have the root certificate signed at great expense by an external root certificate authority already included. CaCert integration would lower the cost but that seems far away, and is still an external authority. These root certificates also might be limited to a single domain (wildcard certificate?) or have other limitations ("low" expiry?, contractual restrictions...).

  It seems unlikely that Mozilla will move away from having the root
  certificates stored in the shared library as it would take some
  control away from them. The shared libary method makes it harder for
  malicious changes to be made, but only by adding the barier of
  recompilation and installation of a shared library.

  Thanks,

       Drew Daniels
  Resume: http://www.boxheap.net/ddaniels/resume.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/firefox/+bug/543183/+subscriptions