Keystore, , ca-certificates, browser.xul.error_pages.expert_bad_cert and more basic questions
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Sun Feb 23 16:25:04 UTC 2014
On 02/23/2014 11:12 AM, kwadronaut wrote:
> * It seems like it's not relying on ca-certificates but instead using
> it's own root keystore. Is that assumption correct? If not, how can I
> find out?
This has always been the case for iceweasel and icedove and anything
else that relies on libnss.
It's possible that we could change this so that NSS-dependent packages
would rely on the system's ca-certificate configuration, but no one has
done the work to make that happen.
here is a debian bug proposing the way forward:
https://bugs.debian.org/704180
> * Sometimes I don't get the 'I understand the risks' option when
> visiting an https page (sec_error_unknown_issuer) but, when visiting a
> different site, also using a cert from CaCert, I *do* get that option. I
> can set browser.xul.error_pages.expert_bad_cert to true and have the
> option everywhere, but that doesn't help me understanding *why.* I
> tested with https://labs.riseup.net and https://wiki.cacert.org
The difference between "i understand the risks" and being fully locked
out is likely to do with HSTS (the HTTP Strict-Transport-Security header):
See the (non-normative) suggestions of the STS RFC, which suggest "No
User Recourse":
https://tools.ietf.org/html/rfc6797#section-12.1
> * Icedove in Debian stable is still on 17 branch and I don't see
> anything more recent. So; if/when to expect that?
I don't know the plans here.
> I presume that
> packages like enigmail, iceowl-extension, calendar-timezones would
> remain on a version which would remain on a version which is
> incompatible with the then-updated Icedove?
These questions are about icedove, which is completely different from
iceweasel. I'm not sure how they follow. the version of enigmail in
wheezy-security 2:1.5.1+id17-3~deb7u1, which matches the version of
icedove in wheezy-security of 17.0.10-1~deb7u1.
If you don't have the security repository added to a wheezy installation
(NOT RECOMMENDED) then you'll have icedove 10.0.12-1 with enigmail
2:1.4.1-2.
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1010 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20140223/8ca72c3f/attachment.sig>
More information about the pkg-mozilla-maintainers
mailing list