Confirm, administrator
5,526
edits
Changes
m
minor updates
Mozilla as distributed includes various CA certificates by default, in order to reduce the amount of configuration users have to do before they can use Mozilla for these cryptographic-based functions.
As discussed in the answer to the previous question, in order to verify a certificate for a web server, or email user, or code developer, Mozilla must have the certificate for the CA that issued (i.e., digitally signed) the certificate being verified. If the CA is an intermediate CA then Mozilla must also have the certificate for the CA that issued the intermediate CA's certificate, in order to verify that certificate as well. This other CA may be a root CA or yet another intermediate CA; in the latter case yet another CA will be involved, and so on.
Mozilla continues verifying certificates until it comes to a point where it needs a root CA certificate, corresponding to the root CA that issued the original web server, etc., certificate or that issued an intermediate CA's certificate. Since root CA certificates are self-signed, Mozilla can verify such a certificate using the public key in the root CA certificate itself, and if that verification completes successfully then the process is done.
However it is also convenient for Mozilla to keep its own copies of certificates, including root CA certificates in particular. Among other things, Mozilla can mark a given root CA certificate as being valid for verifying certain types of certificates, and as not being valid to verify other types of certificates.
For example, a particular root CA may issue certificates only for web servers, not for email users or code developers; in the Mozilla certificate database this root CA's certificate could be marked as being valid only for verifying web server certificates. If Mozilla receives a email user certificate issued by this root CA (or by an intermediate CA under the root CA) it would then raise an error condition and alert the user; on the other hand web server certificates issued by the root CA (or an intermediate CA under it) would be verified by Mozilla without error and with no need for user intervention.
This process of marking root CA certificates as being valid for verifying certain types of certificates is commonly known as "trusting" the root CA, and the special flags associated with each root CA certificate are known as "trust bits".
If Mozilla or related software did not already have a copy of a given root CA certificate then it would be unable to automatically determine whether certificates issued by that root CA (or subordinate CAs) should be accepted or not, and would have to prompt the user as to what to do. Most users don't know what CAs are or don't possess the necessary information to properly decide what Mozilla should dodetermine the correct action. To prevent these typical Mozilla users from having to deal with this issue, Mozilla and related software includes a pre-loaded set of default root CA certificates, with the trust bits set appropriately.
These pre-loaded root CA certificates are distributed with Mozilla and related software in the form of a shared library installed on users' systems along with the rest of the software executable code. They can therefore be updated when new versions of the software are released.
