@J.C. Jones Can you kindly undo your recent change to the status of this bug?
@David Woodhouse: p11-kit-trust.so only handles CA certificates; it does not pull in the PKCS#11 security module configuration, which is stored in the system-wide NSS database. This is required where smart cards are used (using security modules such as OpenSC, either directly or via the p11-kit-proxy security module). This was part of the issue reported with this bug. As it stands now, the PKCS#11 module configuration still has to be manually added to every Firefox/Thunderbird profile after the application is first launched by the user and the NSS databases are created at that time. Changes to the system-wide NSS database won't propagate (for example, if the system administrator replaces the CoolKey module with OpenSC). -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/543183 Title: Updating system certificates requires rebuild Status in Mozilla Firefox: Won't Fix Status in firefox package in Ubuntu: Triaged Status in firefox package in Fedora: Won't Fix Bug description: Binary package hint: firefox Hi, Updating the list of trusted root certificate authorities across all users of a system seems requires rebuilding a library. Non-root certificates may similarly be impacted. update-ca-certificates could be a mechanism to update the root certificates used by firefox. On a corporate install of firefox, currently the only options to adding an internal root certificate authority are to: * Hack it into the user creation script to extract a pre-created profile, and update all the existing users profile directory. This bypasses the random profile directory creation. * Re-compile the shared library (.so) containing the root certificate authorities (extra maintenance for dealing with ubuntu package updates). * Have every user of the system go through a manual process of adding the root certificate (most users don't know how). * Use a plugin extension for firefox (do any exist?) that is automatically used by all users (can this be done?) * Have the root certificate signed at great expense by an external root certificate authority already included. CaCert integration would lower the cost but that seems far away, and is still an external authority. These root certificates also might be limited to a single domain (wildcard certificate?) or have other limitations ("low" expiry?, contractual restrictions...). It seems unlikely that Mozilla will move away from having the root certificates stored in the shared library as it would take some control away from them. The shared libary method makes it harder for malicious changes to be made, but only by adding the barier of recompilation and installation of a shared library. Thanks, Drew Daniels Resume: http://www.boxheap.net/ddaniels/resume.html To manage notifications about this bug go to: https://bugs.launchpad.net/firefox/+bug/543183/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
