Open
Bug 100989
Opened 23 years ago
Updated 1 year ago
sort SSL client auth cert selection list based on expired/revoked state
Categories
(Core :: Security: PSM, defect, P3)
Tracking
()
NEW
Future
People
(Reporter: cfu, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [kerh-ehz][psm-auth][psm-clientauth])
N6 2001091703 Revoked certs shouldn't be presented for SSL client auth. To reproduce: 0. get a new N6 profile 1. go to https://cfu to enroll for a cert. uid="test1", password="test1", note the serial number ( do the same for "test2", so you have two certs) 2. go to https://cfu [Revocation] to revoke test1 3. wait 20+ minutes (for the CRL to be updated) 4. go to https://cfu [Retrieval], [Import CRL], and select to import CRL into your browser. 5. go to "validation" [Manage CRL] to check the CRL is there 6. go to https://cfu [Renewal] [Submit] I expect to see just test2 on the cert selection, but saw test1 also there.
Comment 1•23 years ago
|
||
->future. see also bug 92131
Assignee: ssaux → kai.engert
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2
Target Milestone: --- → Future
Comment 2•23 years ago
|
||
Currently, the NSS function that searches for certs, valid for the requested CA, doesn't make a difference between expired and revoked certs. In a discussion today it was said that we currently need expired certs to be displayed in the client auth dialog, which means we have to display revoked certs, too. In the future, we might want to add an UI, which by default shows only valid certs, but allows the user to add the invalid certs to the selection list. To not forget about this, we leave this bug open, at least until a decision is made.
Updated•22 years ago
|
Blocks: clientauth
Comment 4•19 years ago
|
||
Note: 1. This Bug is still there in Mozilla 1.5.7 2. If a certificate is selected automatically it looks like the "newest" (or "lasting longest"?) certificate is selected even if it is known to be revoked. Proposal: Change the sorting of the certificates so that revoked certs go to the bottom of the list. And don't use them automatically
Updated•19 years ago
|
Whiteboard: [kerh-ehz]
Updated•17 years ago
|
QA Contact: junruh → ui
the code lives here: nsNSS_SSLGetClientAuthData How about: live certs expired certs revoked certs
Summary: revoked certs presented in cert selection list for SSL client auth → sort SSL client auth cert selection list based on expired/revoked state
Version: 1.0 Branch → Trunk
Updated•14 years ago
|
Whiteboard: [kerh-ehz] → [kerh-ehz][psm-auth]
Component: Security: UI → Security: PSM
Priority: P2 → P3
Whiteboard: [kerh-ehz][psm-auth] → [kerh-ehz][psm-auth][psm-clientauth]
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•