debian CA not shipped in firefox

AFAIK that's not true for ca-certificates, it does include the Debian CA. The problem is Firefox, which does not use the database found in ca-certificates at all. And Ubuntu is not allowed thanks to trademark rules to change the certificate database of NSS (c.f. iceweasel vs. firefox in Debian).

Seems to be the case and what the guys at debian are hinting at (they say their ca-certificates package matches). Maybe time for me to switch to a different browser when accessing such secure sites (I also get the same problem on Chromium - I haven't tried opera, but just discovered Midori works - probably designed to be more friendly to a Linux users needs - so it might do as a good backup).
So basically no likelihood of a fix from Firefox so just me wasting peoples timewith a dead end bug report. Still hope someone might find having the info out in the public domain useful.

This seems really strange to me.
Actually, I know of the StartSSL CA which is not recognized on Ubuntu 12.04 while it is on the yet-to-be-released 12.10. And AFAIK, Firefox versions are identical between both (15.0.1), while ca-certificates is significantly newer on 12.10.

So, basically, even if the same Firefox version is used, it does not necessarily behave the same?

Status changed to 'Confirmed' because the bug affects multiple users.

Do the trademark rules prohibit distributing an optional package that modifies the certificate store for Firefox?

Paul, I've offered a suggested workaround in

https://answers.launchpad.net/ubuntu/+source/ca-certificates/+question/79192

There is a process for CA's to follow to get their root included in Firefox: https://wiki.mozilla.org/CA:How_to_apply

Please have a read of the bug reporting guidelines: https://wiki.ubuntu.com/MozillaTeam/Bugs#Requests_for_inclusion_of_new_CA.27s

And the Debian CA is only an intermediate. Their certificate is signed by SPI, whose root is not included in Mozilla products (presumably because it hasn't applied for that).

ca-certificates does include the SPI root in addition to those included in Firefox, but note the disclaimer in the README.Debian file in the ca-certificates source package:

"Please note that Debian can neither confirm nor deny whether the
certificate authorities whose certificates are included in this package
have in any way been audited for trustworthiness or RFC 3647 compliance.
Full responsibility to assess them belongs to the local system
administrator."

See also related bug LP #1287130