Keystore, , ca-certificates, browser.xul.error_pages.expert_bad_cert and more basic questions

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sun Feb 23 16:25:04 UTC 2014


On 02/23/2014 11:12 AM, kwadronaut wrote:

> * It seems like it's not relying on ca-certificates but instead using
> it's own root keystore. Is that assumption correct? If not, how can I
> find out?

This has always been the case for iceweasel and icedove and anything
else that relies on libnss.

It's possible that we could change this so that NSS-dependent packages
would rely on the system's ca-certificate configuration, but no one has
done the work to make that happen.

here is a debian bug proposing the way forward:

   https://bugs.debian.org/704180

> * Sometimes I don't get the 'I understand the risks' option when
> visiting an https page (sec_error_unknown_issuer) but, when visiting a
> different site, also using a cert from CaCert, I *do* get that option. I
> can set browser.xul.error_pages.expert_bad_cert to true and have the
> option everywhere, but that doesn't help me understanding *why.* I
> tested with https://labs.riseup.net and https://wiki.cacert.org

The difference between "i understand the risks" and being fully locked
out is likely to do with HSTS (the HTTP Strict-Transport-Security header):

See the (non-normative) suggestions of the STS RFC, which suggest "No
User Recourse":

 https://tools.ietf.org/html/rfc6797#section-12.1

> * Icedove in Debian stable is still on 17 branch and I don't see
> anything more recent. So; if/when to expect that?

I don't know the plans here.

> I presume that
> packages like enigmail, iceowl-extension, calendar-timezones would
> remain on a version which would remain on a version which is
> incompatible with the then-updated Icedove?

These questions are about icedove, which is completely different from
iceweasel.  I'm not sure how they follow.  the version of enigmail in
wheezy-security 2:1.5.1+id17-3~deb7u1, which matches the version of
icedove in wheezy-security of 17.0.10-1~deb7u1.

If you don't have the security repository added to a wheezy installation
(NOT RECOMMENDED) then you'll have icedove 10.0.12-1 with enigmail
2:1.4.1-2.

hth,

	--dkg

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20140223/8ca72c3f/attachment.sig>


More information about the pkg-mozilla-maintainers mailing list