Open Bug 100989 Opened 23 years ago Updated 1 year ago

sort SSL client auth cert selection list based on expired/revoked state

Categories

(Core :: Security: PSM, defect, P3)

Product:
Core
Component:
Security: PSM
Platform:
x86
Windows 2000
Type:
defect

Tracking

()

Milestone:
Future

People

(Reporter: cfu, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [kerh-ehz][psm-auth][psm-clientauth]) 

N6 2001091703

Revoked certs shouldn't be presented for SSL client auth.
To reproduce:
0. get a new N6 profile
1. go to https://cfu to enroll for a cert.  uid="test1", password="test1", note
the serial number ( do the same for "test2", so you have two certs)
2. go to https://cfu [Revocation] to revoke test1
3. wait 20+ minutes (for the CRL to be updated)
4. go to https://cfu [Retrieval], [Import CRL], and select to import CRL into
your browser.
5. go to "validation" [Manage CRL] to check the CRL is there
6. go to https://cfu [Renewal] [Submit]

I expect to see just test2 on the cert selection, but saw test1 also there.
->future.
see also bug 92131
Assignee: ssaux → kai.engert
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2
Target Milestone: --- → Future
Currently, the NSS function that searches for certs, valid for the requested CA,
doesn't make a difference between expired and revoked certs.

In a discussion today it was said that we currently need expired certs to be
displayed in the client auth dialog, which means we have to display revoked
certs, too.

In the future, we might want to add an UI, which by default shows only valid
certs, but allows the user to add the invalid certs to the selection list.

To not forget about this, we leave this bug open, at least until a decision is made.
Changing my prefered e-mail address.
Assignee: kai.engert → kaie
Blocks: clientauth
Note:
1. This Bug is still there in Mozilla 1.5.7
2. If a certificate is selected automatically it looks like the "newest" (or
"lasting longest"?) certificate is selected even if it is known to be revoked.

Proposal: Change the sorting of the certificates so that revoked certs go to the
bottom of the list. And don't use them automatically
Product: PSM → Core
Whiteboard: [kerh-ehz]
QA Contact: junruh → ui
Version: psm2.1 → 1.0 Branch
the code lives here: nsNSS_SSLGetClientAuthData

How about:
live certs
expired certs
revoked certs
Summary: revoked certs presented in cert selection list for SSL client auth → sort SSL client auth cert selection list based on expired/revoked state
Version: 1.0 Branch → Trunk
Whiteboard: [kerh-ehz] → [kerh-ehz][psm-auth]
reassign bug owner.
mass-update-kaie-20120918
Assignee: kaie → nobody
Component: Security: UI → Security: PSM
Priority: P2 → P3
Whiteboard: [kerh-ehz][psm-auth] → [kerh-ehz][psm-auth][psm-clientauth]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.