Nelson Bolyard wrote:
The "built-in" list of CAs, and the built-in list of trust info is no longer stored in the cert DB. It's in a shared library that gets replaced when a new (or old) version of mozilla is installed.
[snip]
If users CHANGE the trust settings on a root CA, or import a new root CA and trust, the new CA and trust info goes into the cert DB.
So in essence a new release of Mozilla could remove or "revoke" CA certs on behalf of all the users who were trusting to Mozilla to do the right thing, while not affecting users who had exercised their own judgement.
Prior to NSS 3.4, which was introduced into mozilla in moz 1.3 or perhaps earlier (not sure), the built-in certs and their trust info were all copied into the cert DB. So users of mozilla whose cert DBs originated before NSS 3.4 will still have a LOT of root CA certs in them.
But users whose cert DBs originated in moz 1.3 or later (including N7.1 IINM), should have rather few CA certs in their cert DBs.
But I guess this is not *quite* true: If a new CA cert were added and trust flags turned on, that would affect everyone who upgraded to the new version, and users who preferred to trust their own judgement on CA certs would not necessarily be alerted during the installation process or thereafter. Instead they would have to manually check the CA cert list after the upgrade (or read the release notes).
Yes, this has always been true for NSS users, IINM.
Frank
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
