Frank, Things work rather differently now than they did 4 years ago. The "built-in" list of CAs, and the built-in list of trust info is no longer stored in the cert DB. It's in a shared library that gets replaced when a new (or old) version of mozilla is installed.
Thanks for the info. This has not been the first time, nor will it be the last, that my ignorance has led me astray.
If users CHANGE the trust settings on a root CA, or import a new root CA and trust, the new CA and trust info goes into the cert DB.
So in essence a new release of Mozilla could remove or "revoke" CA certs on behalf of all the users who were trusting to Mozilla to do the right thing, while not affecting users who had exercised their own judgement.
But I guess this is not *quite* true: If a new CA cert were added and trust flags turned on, that would affect everyone who upgraded to the new version, and users who preferred to trust their own judgement on CA certs would not necessarily be alerted during the installation process or thereafter. Instead they would have to manually check the CA cert list after the upgrade (or read the release notes).
Frank
--
-- Frank Hecker hecker.org _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
