77431 - Edit button for Web Site certs shows wrong interface

Status: VERIFIED FIXED

(Core Graveyard :: Security: UI, defect, P2)

Description

[Sean Cotter]

The Edit button for Web Site certs curently opens up the dialog for editing CA 
certs. Instead it should open a dialog box that looks like this:

This certificate:  [hostname from cert]
was issued by: [name of issuer]

[next sentence varies depending on trust for this cert's CA. If the CA is not 
trusted, it reads as follows:]

Because you do not trust the certificate authority that issued this certificate, 
you do not trust the authenticity of this certificate unless otherwise indicated 
here.

[If the CA is trusted, it reads as follows:]

Because you trust the certificate authority that issued this certificate, you 
trust the authenticity of this certificate unless otherwise indicated here. 

Edit certificate trust settings:

[these are radio buttons]

x  Trust the authenticity of this certificate.
x  Do not trust the authenticity of this certificate.

[Edit... button] Edit certificate authority trust settings.

The help target for this dialog is ?edit_web_certs.

The above changes will bring this dialog into line with PSM 1.4. 

Questions: 

- should the window title for this and other cert edit windows be "Edit 
Certificate Settings" as in PSM 1.4? Currently the window title is the name of 
the cert.

- Do we want this dialog to reflect the cert chain graphically, along the lines 
of the new View window?

Comment 1

[Sean Cotter]

Changed target to 2.0.

Comment 2

[Ian McGreer]

Darn.  somehow in my last big checkin, I implemented this but missed some text.
 What I have says:

This certificate X was issued by Y.

Edit certificate trust settings
...


I'm missing the text about whether or not the issuer is trusted.  I will attach
a screenshot.

This is still a bug then.  We need to make a decision whether this is to be
fixed now or not.

Comment 3

[Ian McGreer]

Attachment: edit web site cert trust interface

Comment 4

[Ian McGreer]

(Oh yeah, just a note about that image; that really is a self-signed cert, I'm
not showing the wrong issuer :)

Comment 5

[Sean Cotter]

Just to clarify, two things are still missing from this dialog:

- text above the radio buttons that varies according to trust state of cert

- Edit button labeled "Edit certificate authority trust settings"

The idea with the Edit button is that if you want to fix the CA trust settings,
you can do it from here, immediately, rather than navigating to the Authorities
panel. This button was present in PSM 1.x.

Also, the window title in the latest build is "Edit certificate trust". It's a
nit, but I would prefer "Edit certificate trust settings".

Comment 6

[David P. Drinan]

->p2

Comment 7

[David P. Drinan]

mcgreer,

Is this almost done or is it a lot more work?

Comment 8

[Stephane Saux]

Mass reassigning target to 2.1

Comment 9

[Stephane Saux]

->rangansen

Comment 10

[Stephane Saux]

removing nsenterprise keyword from PSM bugs with target milestone of future.

Comment 11

[John Unruh]

Mass assigning QA to ckritzer.

Comment 12

[Rangan Sen]

Attachment: patch

Comment 13

[Rangan Sen]

Adding the window sizing and typo foxes as well - This patch fixes this bug, as
well as bug# 82887

Comment 14

[Rangan Sen]

Attachment: patch

Comment 15

[Javier Delgadillo]

A few comments:

1) On the following line: 
<script src="chrome://global/content/strres.js" />

add 'type="application/x-javascript"' inside the script tag.

2) Why is this block commented out?  Should it even be included?

+/*
+  if(cacert == null)
+  {
+     var editButton = document.getElementById('editca-button');
+
 editButton.setAttribute("disabled","true");
+  }
+*/ 

Fix 1, and you'll have r=javi

Comment 16

[Rangan Sen]

Attachment: new patch

Comment 17

[Rangan Sen]

Done...Removed the commented part too. It was originally intended to hide the
'edit root ca' button' if root ca was unknown - I forgot to remove that later.

Comment 18

[Joe Hewitt (gone)]

My only comment is that the id "explanations" is mispelled as "explainations"

Other than that, sr=hewitt

Comment 19

[Rangan Sen]

Patch checked in.
I would also like to point out that the window, being persistent, remembers the
older value, and might show sizing issues first time, depending on the profile
used [bug# 94755]. This might be resized, though.

Comment 20

[ckritzer (gone)]

Okay,

1) The correct interface is being shown after clicking the [Edit] button for Web
Site cert(s) - the basic bug is fixed

2) The title of the Edit dialogue is still "Edit certificate trust" and not
"Edit certificate trust settings"

3) I need some assistance with getting a cert from a 'trusted authority'. I can
see the text in the "Edit certificate trust" dialogue which starts out with
"Because you do not trust the certificate authority...", but I need to check out
a trusted certificate authority to verify the text changes.

Any suggests?  Do we have an internal site which will do this?  Or perhaps the USPS?

Sean, are you happy with the text title in #2 above?  If not, we can hold this
bug open, or open a new bug.  Let me know.

Comment 21

[Rangan Sen]

Regarding #3, one way to do that might be - go to https://www.hotmail.com - a
dialog for domain name mismatch would come up, and check on 'remember this cert
permanently'. CA for this cert is RSA, and that would be included in the list of
CA's available when Netscape6 is installed.

Comment 22

[Sean Cotter]

To check the case where the web site cert is from a trusted authority, just
click "Edit CA trust" and select all three boxes. Next time you open the same
web site cert, you'll see the text for the trusted CA case.

I'm not so concerned about "settings" in the title name per se, but there are
two other issues that do concern me:

- "Edit trust settings" is the title for both this dialog (editing web site cert
trust settings) and the equivalent dialog for editing CA trust settings. I would
prefer to see these dialogs distinguished more clearly: "Edit web site
certificate trust settings" for this case and "Edit CA certificate trust
settings" for the other.

- The dialog opens to a huge size, with a bunch of white space above and below
the radio buttons. Surely this isn't necessary. The dialog can be resized by
hand to more reasonable dimensions without losing anything.

Both of these are relatively minor complaints that probably are less important
than other UI changes in progress. It's up to you whether to close this bug or
keep it open for a future release.

Comment 23

[Rangan Sen]

The window sizing trouble [that the window is too long] is probably effect of
persistence and would vanish once a new profile is used [for now]. This issue
for editcert as well as deletecert windows is being addressed in bug# 95441. 

Comment 24

[Rangan Sen]

Attachment: patch to fix the title problem ... sorry I missed that

Comment 25

[David P. Drinan]

r=ddrinan.

Comment 26

[Joe Hewitt (gone)]

sr=hewitt

Comment 27

[ckritzer (gone)]

I'll verify this with tomorrow morning's builds...

Comment 28

[Rangan Sen]

Patch Checked in. 
This would fix the window title problem. To get proper sized window, it would
still be needed to use fresh profile[for now, till we check in patch to bug#
95411]. Also, the 'Edit Web Site Cert' window still has a awkward layout [bug#
82887] - I do not have a fix for that yet.... 

Comment 29

[ckritzer (gone)]

Okay, I noticed something else odd today...

Changing the state of the radio buttons seems to have no effect on the text
above it which starts either as "Because you trust the..." or "Because you don't
trust the...".  When the text indicates trust, changing the radio button to
'trust' and selecting the [OK] button will not change the state of the text when
you open the edit window back up again.

What *does* seem to make a difference (whether you change the radio button or
not) is when you change the state of the checkboxes in the "Edit Certificate
trust" window (turn them all off or one/all on).  When all checkboxes are
unchecked, the text changes to "don't trust" & when one or more checkboxes are
checked, the text will change to "trust"

Comment 30

[Rangan Sen]

I believe the text "Because you trust the..." or "Because you don't trust
the...".   should actually change only when the trust of the issuer CA is
changed [eg, by clicking the 'Edit CA' button, and opening trust settings window
for the CA], because this text reflects the default trust of this ssl cert,
which is defined by the trust on its CA.
 
But, even if we do not trust/know the CA, we can choose to trust this particular
web site cert [or,the other way round]by checking the radio button 'Trust the
authenticity of...'. So next time we open the edit dialog, we still have the
same text 'Because you do not trust..' showing up, but the button 'trust the
authenticity..' is checked, indicating we trust this ssl cert, though its CA is
not trusted.

Still, putting in some text to indicate the 'actual' trust status might make it
easier for users to understand.

Comment 31

[Stephane Saux]

Change the target of bugs with state 'RESOLVED' and target 'Future' to target
'2.1' since they were fixed for the 2.1 release.

Comment 32

[Stephane Saux]

Using win Build ID 20010919-0.9.4, I verified the following:
Use a fresh profile.
Got to https://beaver.mcom.com
You don't have the CA cert, so you're told so.  Remember the cert permanently.
Go to cert manager, web cert tab, edit the cert
Click on Edit CA trust -> get a dialog that you don't have the CA cert.
close cert manager.
Go to http://juggler.mcom.com
Click retrieval tab and import CA cert When the trust setting pop up, do not
check anything.
open cert manager, web cert tab.
edit cert.  The message says that you don't trust the CA cert.
go to authorities tab.
Edit the CA and trust it.
go to web cert tab.
edit the cert.
it says you trust the CA.
You can edit the CA trust.

I think it's verified.

Comment 33

[John Unruh]

Verified on 9/19 WinNT branch.