On Sat, 2011-09-17 at 08:52 +0200, Christoph A. wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Hi, > > I'd like to remove certain root certificates from my trusted list in > Firefox but any changes I make are not permanent. > > Is there a way to have per-user trusted root lists instead of a system > wide list? I suppose manual changes are not effective because the list > is managed via the package ca-certificates. > > I'd even like to go so far to have separate root ca lists for Firefox > and Thunderbird because for Thunderbird I only need a handful of CAs. ---- I recently developed a whole methodology of being my own CA using a series of shell scripts which has taught me quite a bit on the subject but I've not actually made much effort to uncover all of the details that comprise the user level certificate stores employed by mozilla software but the rest of this e-mail summarizes my current level of understanding. Also, I have been using Ubuntu server these days because of the terrible lag in RHEL releases exacerbated by the pathetically slow CentOS re-spins. Ubuntu is decidedly different w/r/t root certificate store management (other than the Mozilla internally managed stuff). I believe that as part of your login/usage of Firefox & Thunderbird, a profile is created in ~/.mozilla (FF) and ~/.thunderbird (TB) and within each of your profiles is a file cert8.db file which is a personalized version of the certificate store relevant only to your profile. This is what you are maintaining when you 'manage' certificates within FF/TB Security settings. As for permanence, I think any time you update FF or TB, it may update the personal certificate store that your profile(s) maintain but otherwise should remain untouched (just guessing here...never actually studied it). ca-certificates is actually about the root certificate store for the OS and is not used at all by FF/TB but other software is almost certain to use it. Mozilla (actually Netscape) was pretty much the driver of early development of technologies such as trusted certificates and things like LDAP (note the similarity of object references such as CN, etc.) and thus all Mozilla software always maintained its own root certificate store rather than interface with the root certificate store that the OS provides. Craig -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- users mailing list users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe or change subscription options: https://admin.fedoraproject.org/mailman/listinfo/users Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
