User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008121622 Ubuntu/8.10 (intrepid) Firefox/3.0.5 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008121622 Ubuntu/8.10 (intrepid) Firefox/3.0.5 If you attempt to remove the trust relationship with any of the default CA's provided with Firefox' install, it will go through the UI motions of indicating that the cert is being deleted, including warning that certs issued by the authority will no longer be trusted if you delete the CA cert. However, if you bring the Certificate Manager back up, the "deleted" certs show back up. This is a fairly major problem with some security issues. What if a CA becomes untrustworthy for whatever reason the user has (See Comodo...)- I should be able to remove the trust relationship completely with a CA with the predictable consequence of "issues" with my SSL stuff. Reproducible: Always Steps to Reproduce: 1.Bring up the preferences dialog, select enctyption, click View Certificates. 2.Select Authorities, click on an authority, and delete the same. 3. Actual Results: The "trusted" CA cert still stays in the list of trusted certs. Expected Results: It should have completely removed the cert from the list, never to return, whatever the consequences.

This is a UI problem, but not a security issue. You can't "delete" the built-ins because they don't exist in the database, they are truly built-in to the code. You can, however, "edit" built-in certs and remove all their trust bits. This is effectively the same thing as deleting them: any certs signed by that root will no longer be trusted. The UI shouldn't mislead you into thinking it deleted something from the cert manager when it did not, so I think there is a valid UI bug here.

according to bug 222139, it's bug 345934