David Woodhouse <dw...@infradead.org> wrote: > The sysadmin should be able to configure things for *all* users > according to the desired policy, rather than forcing each user to set > things up for themselves. > > And in turn the *developers* of the operating system distribution > should be able to set a default policy for the sysadmin to build upon. >
Actually, this is the opposite of Firefox's policy. Firefox *intentionally* doesn't do that. It may be possible to hack things to make it work (I believe RHEL and Fedora do something like that already, for example), but those hacks violate the spirit, if not the letter, of the Firefox trademark policy regarding unauthorized modifications of Firefox. And, also, AFAICT, those kinds of hacks may stop working at any time. Said differently, there is nothing special about Linux. Just as Firefox intentionally doesn't use Windows's central certificate trust database on Windows, and just as it doesn't use Mac OS X's central certificate trust database on Mac OS X, it shouldn't use a Linux distro's central certificate trust database. Put yet another way, it is basically Mozilla's policy to make sysadmins' and Linux distros' jobs difficult in this area, because doing so is sort of required for Mozilla to maintain autonomy over its root CA inclusion policy. Thus, "fixing" this kind of problem is actually harmful. That said, of course it would be nice if smart cards and client certificates worked automatically, but those improvements need to be in such a way that they wouldn't change the trust and non-trust of server certificates. Cheers, Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
