Open
Bug 100989
Opened 24 years ago
Updated 2 years ago
sort SSL client auth cert selection list based on expired/revoked state
Categories
(Core :: Security: PSM, defect, P3)
Tracking
()
NEW
Future
People
(Reporter: cfu, Unassigned)
References
Details
(Whiteboard: [kerh-ehz][psm-auth][psm-clientauth])
N6 2001091703
Revoked certs shouldn't be presented for SSL client auth.
To reproduce:
0. get a new N6 profile
1. go to https://cfu to enroll for a cert. uid="test1", password="test1", note
the serial number ( do the same for "test2", so you have two certs)
2. go to https://cfu [Revocation] to revoke test1
3. wait 20+ minutes (for the CRL to be updated)
4. go to https://cfu [Retrieval], [Import CRL], and select to import CRL into
your browser.
5. go to "validation" [Manage CRL] to check the CRL is there
6. go to https://cfu [Renewal] [Submit]
I expect to see just test2 on the cert selection, but saw test1 also there.
|
||
Comment 1•24 years ago
|
||
->future.
see also bug 92131
Assignee: ssaux → kai.engert
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2
Target Milestone: --- → Future
|
||
Comment 2•24 years ago
|
||
Currently, the NSS function that searches for certs, valid for the requested CA,
doesn't make a difference between expired and revoked certs.
In a discussion today it was said that we currently need expired certs to be
displayed in the client auth dialog, which means we have to display revoked
certs, too.
In the future, we might want to add an UI, which by default shows only valid
certs, but allows the user to add the invalid certs to the selection list.
To not forget about this, we leave this bug open, at least until a decision is made.
|
||
Updated•23 years ago
|
Blocks: clientauth
|
||
Comment 4•20 years ago
|
||
Note:
1. This Bug is still there in Mozilla 1.5.7
2. If a certificate is selected automatically it looks like the "newest" (or
"lasting longest"?) certificate is selected even if it is known to be revoked.
Proposal: Change the sorting of the certificates so that revoked certs go to the
bottom of the list. And don't use them automatically
|
|
||
Updated•20 years ago
|
Whiteboard: [kerh-ehz]
|
||
Updated•18 years ago
|
QA Contact: junruh → ui
the code lives here: nsNSS_SSLGetClientAuthData
How about:
live certs
expired certs
revoked certs
Summary: revoked certs presented in cert selection list for SSL client auth → sort SSL client auth cert selection list based on expired/revoked state
Version: 1.0 Branch → Trunk
|
|
||
Updated•15 years ago
|
Whiteboard: [kerh-ehz] → [kerh-ehz][psm-auth]
|
|
||
Updated•9 years ago
|
Component: Security: UI → Security: PSM
Priority: P2 → P3
Whiteboard: [kerh-ehz][psm-auth] → [kerh-ehz][psm-auth][psm-clientauth]
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•