On 4 , 03:33, Nelson Bolyard <[EMAIL PROTECTED]> wrote: > I agree with the rest of what you wrote, down to here: > > > The major downside of XPCOM approach is that it requires user > > intervention: for some reason you cannot pass the certificate trust as > > an argument for the certificate import methods (see e.g. > > nsIX509CertDB::ImportCertsFromFile) so the user will be presented with > > a pop-up dialog where he'll have to tick appropriate check-boxes; > > Yes. Does that surprise you? It shouldn't. > > Should web pages be able to alter the user's set of trusted CAs without > his knowledge? > > If they could, what would stop a "bad guy" from installing his own > evil root CA certs as trusted in the user's browser, then then thereafter > successfully attacking the user's otherwise "secure" pages? > > With a bogus root CA installed and trusted, an attacker could successfully > MITM attack any server he chose. Imagine a rogue employee as your ISP > doing that. The user's ability to control what certs he trusts is his > PRIMARY DEFENSE against MITM attackers. If we take away that control > from the user, and give it to the web site designer, FireFox users > would have no reason remaining to trust anything they see in their > browser windows, ever again. That's why we require user participation > in matters affecting their security.
You are right that importing *root* CA is actually a process of establishing trust between the user the the cert. issuer. Thus, user should explicitly (dis)approve this. However installing *non-root* stuff, or specifying password for pfx are the tasks that can be performed without user. And this is exactly what I am grumbling about. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
