It’s the second reason, but for more than just cert distribution via policy. Other software that is part of most baselines work with the OS store. This usually means that extra steps would have to be taken to ensure that the NSS store would have the needed certs and/or get smartcard authentication working.
I can understand the position that Mozilla is in regarding cert policy. They are one of the most aggressive parties involved and easily the most vocal supporter of end users. There isn’t any way of telling which certificates are “stock” CA’s and which are internal or custom...once they are in the store. There may be a way, however, on domain joined machines to determine if there is an enterprise integrated root...that isn’t going to catch all scenarios, though. In the end, the best approach might be to allow an admin to turn on a certificate sync policy that compares the delta between the NSS and OS store against a blacklist and then imports the certs that don’t fail the blacklist check. Regards, J From: Brian Smith Sent: January 28, 2013 12:34 AM To: joshua toon CC: dev-platform@lists.mozilla.org Subject: Re: Supporting the Windows Certificate Store Joshua Toon wrote: > I know that there are probably well thought out reasons that this > isn't a features already...BUT! Lot's of US Government users can't > use Firefox because it doesn't use the Windows certificate store. Please explain why NSS's trusted root store doesn't work for them. Is it because Microsoft's builtin root store has some CAs that we don't? Or, is it because the US Government uses Windows' group policy stuff to add their own custom CAs to every PC, and we don't pick up those custom CAs. > Would anyone be totally opposed to adding this feature and having it > enabled via group policy? That would allow some IT shops to roll it > out with their preferred smart card middleware...like ActivClient. Or, is the problem that these users cannot use their smartcards (doing client authentication)? The most controversial thing would be to support using Microsoft's builtin root CA list instead of NSS's, even as an option. The compatibility problems due to our set not matching Microsoft's are painful but also people will object to the idea of switching to Microsoft's root list wholesale, because it hurts Mozilla's position at the negotiating table to improve CA-related policy stuff. That is something that is best discussed on dev.security.policy. I would very much welcome any assistance in getting better support for administrator-added root certificates into Firefox. I am not sure how we can, using Microsoft's APIs, distinguish roots that are trusted because they are built in Microsoft's built-in list from roots that are trusted because a user or sysadmin explicitly added then. If there is a way to make such a distinction, then I would gladly help with a feature that allowed us to seamlessly trust the sysadmin-/user-added roots in the Windows certificate database. I also think it would be *great* and (almost) totally non-controversial to add support for using CAPI/CNG instead of NSS for smartcard authentication on Windows, and I would welcome the patches and help push them along. (Chromium already has patches to allow NSS's libssl to do client authentication using CAPI smartcards, IIRC, and I would be glad to help integrate them into NSS upstream if there is somebody that wants to help with the Firefox UI integration with CAPI/CNG.) Cheers, Brian _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
