I'm also going to state that yes, I know this, because I HAVE DONE IT. And I wouldn't wish that hell on anyone who didn't have a DETAILED knowledge of how the X.509 model operates, and I wouldn't wish the user-interface hell on ANYONE.
-Kyle H On Wed, Dec 24, 2008 at 2:36 PM, Kyle Hamilton <aerow...@gmail.com> wrote: > On Wed, Dec 24, 2008 at 1:46 PM, Nelson B Bolyard <nel...@bolyard.me> wrote: >> Of course, that is COMPLETELY equivalent to simply setting trust flags on >> the CA certs you want to trust, and removing those flags from the ones you >> don't want to trust, which is already a part of Mozilla browsers (and >> Netscape browsers, before them) for over 14 years. > > To be honest, Mozilla doesn't distribute keytool with Firefox, which > means that I have to try to go into the (unbatchable) interface and > remove the flags one. by. one. by. one. and then select the next > certificate and remove those trust flags, and the next, and the next, > and the next... > > ...for all hundred or so certs that Firefox includes. > > And then, once I DO manage to do that, then with the "new and > improved" user interface updates, I then have to click at least six > times to try to figure out what's going on, and then when I do find a > site that's protected by an unknown CA certificate (OR that I've > removed the trust bits on), I have to do the following: > > 1) Click 'add an exception' > 2) click 'get certificate' (why I should have to do this is beyond me, > since firefox obviously already has the certificate downloaded since > it told me 'sec_error_untrusted_issuer', which it couldn't have known > without the certificate in its possession ANYWAY) > 3) click 'view' > 4) get the name of the Issuer > 5) hope to all the gods that there's enough information in the chain > to figure out what root it's supposed to be going to > 6) close the window > 7) go into Preferences > 8) click Advanced > 9) click Encryption > 10) click 'View Certificates' > 11) Scroll through the list, with each click giving me approximately > 0.6 useful results (given the preponderance of 'section headings by > root owner', which by the way doesn't work at all with the Addtrust AB > stuff since those are Comodo roots) > 12) find the appropriate root and re-enable it for identification of websites > 13) refresh the page. > > How 'bout this, Nelson (and I invite Frank and the entire security UI > team to do this, as well): YOU do it. Create a new profile and > manually remove the trust on every CA. Then, browse around, and see > which CAs are actually used by you in your day-to-day browsing, > reenabling them manually (since you're trying to emulate not having > keytool around). > > Furthermore, even when keytool IS available, it's entirely likely that > its name conflicts with Java's keytool. (especially on Mac OSX.) > > This is completely unworkable, and discourages users that want to from > taking their security into their own hands. > > -Kyle H > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
