Recognition means that web browsers are required to ensure support and interoperability for the QWAC for the sole purpose of displaying identity data in a user-friendly manner. *Recognition of QWACs implies that browsers shouldn't question the origin, integrity or data in the certificate*.
However, the requirement to recognise QWACs does not affect browser security policies and leaves web browsers free to preserve their own procedures and criteria for encryption and authentication of *other certificates*.
As I commented there, you've misunderstood this change.
There's a difference between certificates distributed with the OS and certificates added to the OS by a user. Right now Firefox ignores both.
This change ONLY picks up the certificates added to the OS by a user. Firefox will continue to ignore the certificates included with the OS store by default.
Literally in the bugzilla entry is stated either by user or administrator so either you misunderstood or you need to raise this directly to the bug for correction
EDIT: for clarity, something I should have done from the beginning, I checked the affected code, they clearly remove warnings around security.enterprise_roots.enabled preference and enable it by default. This is the preference that was added back in the day to control if the browser will allow root certificates added to the OS no matter the source (user or system context) and now they change it to true by default. I think this provides more clarity but feel free to search the affected code for references that indicate that only part of the root certificate store is trusted
Late so don't if you will see this, but from the very beginning, the security.enterprise_roots.enabled preference always stated it applied to certificates added, not those included by default, eg [0]. System vs User context is still different from baked-in vs added. On macOS for example the System keychain contains certificates added that are then accessible by all users and can only be added by an Administrator, and the separate System Roots keychain holds the root certificates (151 on the Mac I'm sitting in front of) that Apple ships with the OS. Firefox reading from both the "login" and "System" keychains doesn't mean reading from "System Roots". The suggested release notes for the bug report you linked reinforces this [1] (capitalization emphasis added):
>[Suggested wording]: By default, Firefox will now use TLS trust anchors (e.g., certificates) ADDED to the operating system by the user or an administrator. This works on Windows, macOS, and Android, and it can be turned off in the "Privacy & Security" section of Firefox settings, under "Certificates".
If you think all of these descriptions have been wrong all along from the code, that'd definitely be worth bringing up on Bugzilla. Personally I'm happy to have it enabled by default vs always needing to remember to do so if it's working as described. I think support for one's own CAs should be encouraged even the overall UX around running your own CA is mediocre right now.
>"Mozilla has added an Enterprise Roots preference to Firefox as a solution to the problem. This preference can be used to import any root certificate authorities (CAs) that have been added to the operating system, to resolve your TLS connection error. You can determine if a website is relying on an imported root certificate by clicking the Site Information icon in the address bar."
This isn't the right summary. Firefox uses it own root store still and ignores any certificates distributed by default in the OS. However, if the user installs their root to the OS, Firefox will also pick it up. This is how other browsers work.
> By default, Firefox will now use TLS trust anchors (e.g., certificates) added to the operating system by the user or an administrator. This works on Windows, macOS, and Android, and it can be turned off in the "Privacy & Security" section of Firefox settings, under "Certificates".
what you state "ignores any certificates distributed by default in the OS." is the as-is situation which is changing in the next weeks and you need specifically to opt-out and will include ALL the certificates no matter if they come from the user or the system. So please elaborate why you think it is the wrong summary
There's a difference between certificates distributed with the OS and certificates added to the OS by a user. Right now Firefox ignores both. This change ONLY picks up the certificates added to the OS by a user.
I believe CF and others buckled under pressure from major websites which didn't want to be used as fronts for other website's traffic. ECH fixes this because individual sites get to opt-in to using it.
... and this is exactly what will happen to cloudflare-ech.com.
I'm really disappointed with how the ECH spec panned out. It's almost like "make sure middleboxes and GFW can block this" was a hard requirement. They should've made the handshake look like a session resumption (i.e. pre-shared key), since those aren't required to send a server name.
Recognition means that web browsers are required to ensure support and interoperability for the QWAC for the sole purpose of displaying identity data in a user-friendly manner. *Recognition of QWACs implies that browsers shouldn't question the origin, integrity or data in the certificate*.
However, the requirement to recognise QWACs does not affect browser security policies and leaves web browsers free to preserve their own procedures and criteria for encryption and authentication of *other certificates*.
https://ec.europa.eu/commission/presscorner/detail/en/QANDA_...