Confirmed users, Administrators
5,526
edits
CA/Changing Trust Settings: Difference between revisions
Jump to navigation
Jump to search
m
→How To Override Default Root Certificate Settings
| Line 9: | Line 9: | ||
CAs apply to have their root certificates [http://www.mozilla.org/projects/security/certs/included/ included by default in Mozilla products] by following the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy] and applying for inclusion as per [[CA:How_to_apply|CA:How_to_apply]]. | CAs apply to have their root certificates [http://www.mozilla.org/projects/security/certs/included/ included by default in Mozilla products] by following the [http://www.mozilla.org/projects/security/certs/policy/ Mozilla CA Certificate Policy] and applying for inclusion as per [[CA:How_to_apply|CA:How_to_apply]]. | ||
Some browsers only display the root certificates that the user has actually used. Even though the user only sees a small number of root certificates, the browser actually has a larger number of root certificates that are implicitly trusted. The moment the user browses to a website whose SSL cert chains up to a root certificate that is in the browser's trusted list, the root will be imported and then be visible. Therefore, even though the root cert was not visible to the user before, it was still already implicitly trusted by the browser. Mozilla believes it is important for users to know the root certificates that could be used, so the full set of default certificates is always shown. | Some browsers only display the root certificates that the user has actually used. Even though the user only sees a small number of root certificates, the browser actually has a larger number of root certificates that are implicitly trusted. The moment the user browses to a website whose SSL cert chains up to a root certificate that is in the browser's trusted list, the root will be imported and then be visible. Therefore, even though the root cert was not visible to the user before, it was still already implicitly trusted by the browser. Mozilla believes it is important for users to know the root certificates that could be used, so the full set of default certificates is always shown. Since you know the list of root certificates that could be used if you browsed to a website whose SSL certificate chained up to them, you can edit the trust bits for the root certificates that you do not want to use. | ||
Since you know the list of root certificates that could be used if you browsed to a website whose SSL | |||
Users of Mozilla products may override the default root certificate settings by either deleting the root certificate or by changing the trust bit settings of a root certificate. The sections below describe how to make these changes, and how the software responds to such changes. | Users of Mozilla products may override the default root certificate settings by either deleting the root certificate or by changing the trust bit settings of a root certificate. The sections below describe how to make these changes, and how the software responds to such changes. | ||