Seems I misunderstood the request. You are talking about a completely separate store, outside of the Windows store? I read the question as creating another store within the Windows store, as I have seen other applications do. Likely my statement is invalid then.
But why does Mozilla believe organizations would manage two certificate stores in two different ways? If an organization does unsafe things with their Windows certificate store (Mozilla's definition), wouldn't they do the same with their Mozilla store? No matter how diligent or lax an organization is with their root certificates, they are likely to make both certificate stores equivalent (so all apps work the same). Why are you forcing organizations to manage two stores when almost everyone will implement THE SAME EXACT CONFIGURATION in both stores? Making organizations who want to support your products duplicate their efforts for no real benefit is why IT people do all they can to adopt other browsers. Norman Vadnais 619.221.7189 (desk) 619.807.7045 (cell) -----Original Message----- From: Mike Connor [mailto:[email protected]] Sent: Friday, March 04, 2016 8:08 PM To: Vadnais, Norman G II CIV SPAWARSYSCEN-PACIFIC, 55340 Cc: Jeremy Moskowitz; [email protected] Subject: Re: [Mozilla Enterprise] [Non-DoD Source] Re: enterprise root certificates: improving administrating Firefox on Windows Hi Norman, I haven't found any Microsoft documentation to that effect. Jeremy asked for a link, I'd also be curious to see where it's documented that applications using their own stores cannot maintain duplicate copies of certs. It'd make sense that the default Windows stores wouldn't accept duplicates, but I'd be surprised if application-specific stores were restricted in that way. -- Mike On Thu, Mar 3, 2016 at 10:22 PM, Vadnais, Norman G II CIV SPAWARSYSCEN-PACIFIC, 55340 <[email protected]> wrote: Jeremy, The way Mozilla detailed their inquiry, they want their organizational customers to post all trusted certificates into their named store inside the Windows certificate store. The problem is, if an organization wants to trust any of the Microsoft supplied certificates, you must remove them from the Microsoft location and then place them into the Mozilla location; the Windows certificate store does not allow the same certificate to be loaded twice (the second load fails, "already there"). That design isn't sustainable. What if you had a second vendor's program insist on the same logic/rules as Mozilla proposed? It would be impossible to support both programs, based on the "only loaded once" rule. So why should an organization use an application requiring a non-sustainable configuration? I don't think they should. I have a high demand for Firefox. I have an even higher demand for strict certificate management for all of Windows and the apps that run on it. I am able to easily manage/control the certificates for all apps on Windows except Firefox. Norman Vadnais 619.221.7189 (desk) 619.807.7045 (cell) -----Original Message----- From: Enterprise [mailto:[email protected]] On Behalf Of Jeremy Moskowitz Sent: Wednesday, March 02, 2016 6:05 AM To: [email protected] Subject: [Non-DoD Source] Re: [Mozilla Enterprise] enterprise root certificates: improving administrating Firefox on Windows Norman.. you wrote: " Mike, Daniel, all, No, it does NOT make sense to implement what Daniel is proposing. Windows only allows certificates to be placed in the store once, " Can you explain this a little better to me / us? I'm not sure I'm following the idea where certs can only be placed in the store ONCE. Thanks. Is there a demo / article you can reference please? Thanks. ! As an aside. Some people might already know this, but we here at PolicyPak have an excellent solution managing Firefox + Certificates using Group Policy for the Enterprise... In case anyone needs to have this problem completely handled NOW: http://www.policypak.com/products/manage-mozilla-firefox-with-group-policy.html (Adding / Removing Certificates is the second video down.) -- Jeremy Moskowitz, Group Policy MVP Founder PolicyPak Software Home of GPanswers.com _______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Enterprise mailing list [email protected] https://mail.mozilla.org/listinfo/enterprise To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise or send an email to [email protected] with a subject of "unsubscribe"
