[xoa]

Late so don't if you will see this, but from the very beginning, the security.enterprise_roots.enabled preference always stated it applied to certificates added, not those included by default, eg [0]. System vs User context is still different from baked-in vs added. On macOS for example the System keychain contains certificates added that are then accessible by all users and can only be added by an Administrator, and the separate System Roots keychain holds the root certificates (151 on the Mac I'm sitting in front of) that Apple ships with the OS. Firefox reading from both the "login" and "System" keychains doesn't mean reading from "System Roots". The suggested release notes for the bug report you linked reinforces this [1] (capitalization emphasis added):

>[Suggested wording]: By default, Firefox will now use TLS trust anchors (e.g., certificates) ADDED to the operating system by the user or an administrator. This works on Windows, macOS, and Android, and it can be turned off in the "Privacy & Security" section of Firefox settings, under "Certificates".

If you think all of these descriptions have been wrong all along from the code, that'd definitely be worth bringing up on Bugzilla. Personally I'm happy to have it enabled by default vs always needing to remember to do so if it's working as described. I think support for one's own CAs should be encouraged even the overall UX around running your own CA is mediocre right now.

----

0: https://support.mozilla.org/en-US/kb/how-disable-enterprise-... :

>"Mozilla has added an Enterprise Roots preference to Firefox as a solution to the problem. This preference can be used to import any root certificate authorities (CAs) that have been added to the operating system, to resolve your TLS connection error. You can determine if a website is relying on an imported root certificate by clicking the Site Information icon in the address bar."

1: https://bugzilla.mozilla.org/show_bug.cgi?id=1848815