hardy cacert RA niet seen by firefox -3

Bug #205992 reported by Toltech on 2008-03-24
16
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Undecided
Unassigned
firefox (Ubuntu)
Undecided
Unassigned
firefox-3.0 (Ubuntu)
Undecided
Unassigned
nss (Ubuntu)
Wishlist
Unassigned
xulrunner-1.9 (Ubuntu)
Undecided
Unassigned

Bug Description

Binary package hint: ca-certificates

after installing ca-certificates, the cacert root certificate is not seen by firefox 3

James Westby (james-w) wrote :

Hi,

Can you explain what you mean by firefox not
seeing the root certificate please?

Thanks,

James

Changed in ca-certificates:
status: New → Incomplete
Toltech (robert-toltech) wrote :

Hello,
I am expecting ca-certificates to install root certificates system wide (also for firefox, thunderbird e.a.). This would be a great mechanism to deploy these certificates across a big number of systems. We for example would be using cacert to protect all kinds of servers (including web services).

The firefox root certificates are viewable under: Edit->Preferences->Advanced->Encryption->View Certificated->Authorities

If the package ca-certificates is not meant for this purpose or not meant to support firefox (3), this is no bug and it can be removed.
Regards,
Robert

James Westby (james-w) wrote :

Hi,

I don't know if this is the fault of ca-certificates or
firefox, so I have opened a task for the latter as well.

Thanks,

James

Changed in ca-certificates:
status: Incomplete → New
Toltech (robert-toltech) wrote :

Thanks,
Don't know where is the problem either.

I have been finding lot's of changes for file locations used by firefox 3 in respect to firefox 2. Some packages have not been updated for these changes.

gr,
Robert

Fabien Tassin (fta) wrote :

This has to do with libnss3 not using ca-certificates but only trusted certs blessed by Mozilla.

Toltech (robert-toltech) wrote :

So this is no bug?

Fabien Tassin (fta) wrote :

Indeed, it's not a bug

Changed in firefox-3.0:
status: New → Invalid
Changed in ca-certificates:
status: New → Invalid
Fabien Tassin (fta) wrote :

Added as wished for nss but I'm not sure we really want to do it.

Changed in nss:
importance: Undecided → Wishlist
status: New → Triaged
liorda (liorda) wrote :

any change yet?

this is really bad since many websites use cacert certificates, and it's much easier to use a package from the repositories than manually install each certificate.

On Tue, May 20, 2008 at 05:35:44PM -0000, liorda wrote:
> any change yet?
>
> this is really bad since many websites use cacert certificates, and it's
> much easier to use a package from the repositories than manually install
> each certificate.
>

we ship whatever mozilla ships and nothing more.

 affects ubuntu/firefox-3.0
 status wontfix

 - Alexander

Changed in firefox-3.0:
status: Invalid → Won't Fix
liorda (liorda) wrote :

Hi Alexanser,

I believe whoever installs the ca-certificates package really wants to trust the CAs included in it, *system wide*.

As a maintainer of websites that uses cacert certificates, It's much easier to ask the user to install that package rather to install the certificate itself. It's even more important since now firefox won't even let you browse the page without the ca certificate installed.

this bug is not about the default certificates installed with firefox. it is about whether or not to allow to user the easily (and knowingly) trust more CA (the most common ones) to ssl and internet browsers.

please tell me if i'm missing the point.

thanks,
--Lior

Alexander Sack (asac) wrote :

On Thu, Jun 05, 2008 at 12:44:29PM -0000, liorda wrote:
> Hi Alexanser,
>
> I believe whoever installs the ca-certificates package really wants to
> trust the CAs included in it, *system wide*.
>
> As a maintainer of websites that uses cacert certificates, It's much
> easier to ask the user to install that package rather to install the
> certificate itself. It's even more important since now firefox won't
> even let you browse the page without the ca certificate installed.
>
> this bug is not about the default certificates installed with firefox.
> it is about whether or not to allow to user the easily (and knowingly)
> trust more CA (the most common ones) to ssl and internet browsers.
>
> please tell me if i'm missing the point.
>

Well the package might get pulled in automatically by some other
package, so its not always an explicit decision by the user. Better
safe than sorry.

However, at some point we should have an extension or something tha
allows the user to select those root certificate easily in "Import
Certificate ..." dialog.

 affects ubuntu/firefox-3.0
 status wontfix

 affects ubuntu/xulrunner-1.9
 status wontfix

 affects ubuntu/firefox
 status wontfix

 - Alexander

Alexander Sack (asac) wrote :

Further its not an nss bug

 affects ubuntu/nss
 status invalid

 - Alexander

Changed in nss:
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers