User Agent: Mozilla/5.0 (Windows NT 5.1; rv:6.0.2) Gecko/20100101 Firefox/6.0.2 Build ID: 20110902133214 Steps to reproduce: I dis-trusted a couple of CAs whose trust is suspect. Firefox updated and automatically re-trusted those CAs for me (I had to re-untrust them). Actual results: I removed trust because these CAs were NOT trustworthy (Comodo; Diginotar) - and the installer overrode my security enhancements. Expected results: If I've elected not to trust CAs that Mozilla thinks are trustworthy, please respect my knowledge of the matter and retain my trust settings through updates.

Never mind - the trust settings never even take effect (at least post-update, I'm not 100% certain I checked pre-upgrade). I'm surprised that I'd get confirmation dialogs warning me of the fallout from untrusting a CA, and I'd see its removal from the list, and yet closing/re-opening the dialog results in a return of the CAs in my trust store.

How did you distrust the CA, using "Edit Trust" or using "Delete or Distrust" ? Note that you delete a built-in CA, it will be recreated, but with all trust flags removed (as explained in the dialog box). Also note that Diginotar is blocked at a much lower level (hardcoded), it's not necessarily to edit the trust itself (i.e. you can't enable them anymore).

I used 'Delete or Distrust', and I misunderstood the reaction - it deletes the certificate from the list (until you close & reopen). I still think there's a bug here, but it's much smaller than I had thought. It should be far more obvious that 'Delete or Distrust' is only distrusting the certificate. The cert manager makes it appear as though you've deleted it (it's visibly removed from the list) - but when you come back, it has returned. This would be better if these were true: - untrusted certificates were grayed out or had some other visible change - 'delete or distrust' on a built-in certificate didn't remove it from the list (since it's not being deleted), but just changed its appearance per above. Last: Good to know about the hardcoding of the trust - I wasn't aware of that.