Re: How to permanently delete root CAs from mozilla products?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Sat, 2011-09-17 at 13:28 +0200, Christoph A. wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA512
> 
> > I believe that as part of your login/usage of Firefox & Thunderbird, a
> > profile is created in ~/.mozilla (FF) and ~/.thunderbird (TB) and within
> > each of your profiles is a file cert8.db file which is a personalized
> > version of the certificate store relevant only to your profile. This is
> > what you are maintaining when you 'manage' certificates within FF/TB
> > Security settings.
> 
> I thought so too till I noticed that my modifications in mozilla's
> "certificate manager" are non-persistent, but you are probably right.
> 
> By "non-persistent" I mean the following:
> - - I remove a root CA in the "Authorities" tab of mozilla's "certificate
> manager" by hitting the delete button
> - - I close the certificate manager
> - - I reopen the certificate manager
> - - The - previously removed - root ca is again there.
> In general this procedure is described here:
> https://support.mozilla.com/en-US/kb/deleting-diginotar-ca-cert
> (but I'm doing it with other root CAs)
> Why are modifications to mozilla's root certificate list non-persistent?
> How do I permanently delete a root CA from the trusted list?
> 
> Update:
> Now while writing this email and doing some tests I realized that the CA
> is still listed but the trust flag is removed (you can see it if you
> click "Edit...").
> The problem with this is: I can't easily distinguish which CAs are
> trusted and which are not (I have to click "Edit..." on every CA to see
> the trust settings). It would be much easier to delete all but a few of
> them (according to my policy and needs). Is that possible?
----
I remember having to delete a certificate 2 times to actually physically
remove them - the first time sets it to untrusted and the second one
finally purges it but I think from a safe point of view, it is probably
better to only delete it 1 time to set it to non-trusted and leave it
there so there is no ambiguity - it is not to be trusted.

Yes, there is no easy way to distinguish trusted/non-trusted
certificates without actually viewing them.

Craig



-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

-- 
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [EPEL Devel]     [Fedora Magazine]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Desktop]     [Fedora Fonts]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Fedora Sparc]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux