Comment 43 for bug 543183

Revision history for this message
In , Kai (kai-redhat-bugs) wrote :

I'm not clear on the earlier comments in this bug.

If I understand correctly, this bug requests that Firefox should use the root CAs that are installed in the global system location /etc/pki/nssdb

However, a Firefox profile clearly shouldn't use that global database for all certificate that NSS needs to manage, in other words, Firefox still needs a database that is private to the user, whether it's a user-global database (using shared db) or a profile-local database (which is still the default of Firefox).

So, I believe this bug requests some dynamic merge. It probably requests that Firefox should continue to use an NSS database from /home, and merge it with the root CA list stored in /etc

I believe we don't have such a feature yet.
If we want this to happen, it must be implemented upstream, in the Mozilla platform core code.

We'd have to define how the merge shall happen. Both the global /etc and the /home database can contain information regarding to roots. For example, a user can disable trust from builtin roots.

It will require to define the order of preference for conficting trust settings for a single CA.