Closed Bug 120939 Opened 23 years ago Closed 22 years ago

Make clear that both encryption and signing certs are required to configure s/mime.

Categories

(MailNews Core :: Security: S/MIME, defect, P3)

Product:
MailNews Core
Component:
Security: S/MIME
Version:
Other Branch
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
psm2.2

People

(Reporter: erl, Assigned: KaiE)

References

Details

(Whiteboard: [adt2 rtm])

Attachments

(1 file, 1 obsolete file)

Updated Patch
8.87 KB, patch
mscott
: superreview+
jud
: approval+
Details | Diff | Splinter Review 
I have a certificate identifying me, signed by my bank (Skandiabanken). I
normally use it to log into my bank's website, but now I wanted to try to sign
E-mails with it.
  I selected it in my mail account settings, to be used for signing my E-mails.
Here is the info displayed when selecting the certificate called "Erland Lewin's
Skandiabanken AB ID":

  Subject: CN=Erland Lewin, OU=Bondegatan 81 4 tr, O=7009070413, L=Stockholm,
ST=11634, C=SE
  Serial Number:0A:D9:93:A1:00:01:00:0D:7A:0C
  Valid from 2001-08-15 10:51:27 to 2002-08-15 11:01:27
  Purposes: Client,Server,Sign,Encrypt
Issued by:
  Subject: CN=SkandiaBanken Internetbank CA01, OU=SkandiaBanken AB,
O=SkandiaBanken AB, L=Stockholm, ST=Stockholm, C=SE, E=webmaster@skandiabanken.se

When I try to send a signed but not encrypted E-mail to myself, I get an error
message saying: "Sending of message failed. You requested to sign this message, 
but the application failed to find an encryption cert to include in the signed
message or the certificate has expired."

Normally, I need to specify my password to use the certificate when I log into
the website. I don't know if that mechanism might be a problem.

I'm running a CVS from yesterday, so it shouldn't be bug #117148.
Do you have proper trust bits set for the issuer of your certificate?
You may want to take a look bug 119641.
Thanks for the tip, Antonio. However, it doesn't seem to be a trust problem.

My certificate does say 'true' in the 'verified' column under "Your
certificates" in the Certificate Manager.
  It chains up to the "SkandiaBanken Internetbank CA01". That CA is in the list
under the "Authorities" tab. When I select it and click 'edit', all three trust
settings are checked.

What can I do to get more debug info on why the certificate is not being found?

You must set both the signing and encryption certificate part in the Mail/News
Account Manager. In your case, the two certs will be the same, but many
organizations issues different certs for signing and encryptions, hence the need
to have setup for both.

The reason why you want to include an encryption certificate when you sign and
email is so that your recipient can send you encrypted emails.

This should solve your problem.
Priority: -- → P3
Target Milestone: --- → 2.2
Ok, it works when I have specified the certificate for encryption as well
(however, this exposed bug #122261).

However, it sounds to me like the behaviour should be changed such that
specifying an encryption certificate is optional, when only signing a certificate 
  Or the certificate specification dialog should refuse to accept a signing
certificate (or at least warn) if an encryption certificate is not specified.

Should I create a new bug for this requested change of behaviour?

Both certificates are required by this s/mime implementation.  We can make sure
that if they are not both setup the feedback is better.

Changing summary.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Failure to find certificate when signing E-mail → Make clear that both encryption and signing certs are required to configure s/mime.
Blocks: 74157
S/MIME bugs are automatically nsbeta1 candidates. (this is a bulk update - there
may be some adjustment of the list).
Keywords: nsbeta1
Keywords: nsbeta1+
kai
nsbeta1-
Assignee: ssaux → kaie
Keywords: nsbeta1, nsbeta1+nsbeta1-
I would like to re-nominate for nsbeta1, because I think I have a simple idea
that fixes this bug.

I suggest we just add a simple on line explanation to the current email security
preferences dialog.

Something like: "Note that in order to use E-Mail security, you need to select
both signing and encryption certificate."

That would "make it clear", won't it?
Keywords: nsbeta1-nsbeta1
QA Contact: alam → carosendahl
Keywords: nsbeta1nsbeta1+
Whiteboard: [adt2 rtm]
OS: Linux → All
Hardware: PC → All
I would like to iterate the different options we have to enhance this dialog.

Obviously, our current code is not optimal.
It requires to have both certificates configured.
Any people don't understand that, not expecting "dual-key certificates", and do
not select both.

I could imagine many different ways to enforce the configuration, but we do have
some constraints.
For example, at the time the user brings the mail security preference view to
the front, we have a limited amount of options.
At that time, we should not automatically check whether the (previously)
configured certs are still available,
because that might be slow, and it might to ask the user to log in to security
devices, both software and hardware.

We could have two different fields, a checkbox that says "use same cert for
both", and if checked, disable the other cert selection.
However, in that case, we would have to also solve the problem, that a cert
might be usable only for one purpose, and the UI would have to visualize that,
maybe by automatically unselecting the checkbox, and disabling it, so the user
can not enable it.
But in those cases, where the cert can be only used for signing, this approach
would not help at all. Because we would change the UI, enable the second field,
and the user would still have to see that and manually select the cert.


I rather want to suggest that we leave the two different fields, arranged on the
screen as they are currently.


But I want to suggest that we help the user by showing additional helper messages.

Imagine the following scenario:

- user has not yet selected any cert
- user presses button to configure signing cert
- user selects cert and hits ok

At that time I think we should automatically do the following:
- check whether the selected cert is usable for encryption, too
- check whether there is already a encryption cert selected

Dependent on the results, we should show a dynamic message.
I'm describing a few different scenarious, the messages I think we should show,
and the actions we should take.


1.)
If there is not yet a cert for encryption selected, 
and the selected cert is usable for encryption, show:
  "Note that before you can use digitally signing, you must also
  specify a cert that other people can use to send you encrypted email.
  Do you want to use the same cert for receiving encrypted messages?
  Yes, No, Cancel."
If the user selects Yes, we will automatically configure the cert for the
other purpose, too.
If the user selects No or Cancel, we will leave the current configuration as is.


2.)
If there is not yet a cert for encryption selected,
but the selected cert is NOT usable for encryption, show:
  "Note that before you can use digitally signing, you must also
  specify a cert that other people can use to send you encrypted email.
  Do you want configure an encryption certificate now?
  Yes, No, Cancel."
If user selects Yes, we will automatically open up another certificate picker,
as if the user hit the "select encryption certificate" button.
  If the user confirms a cert, it will be configured.
  If the user cancels the cert selection, no change will be made.
  If there is no encryption cert available, the user will see an
  appropriate error message (as implemented with bug 136948).
If the user selects No or Cancel, we will leave the current configuration as is.


3.)
If there is already a cert configured for encryption,
we don't need to remind the user to configure one.
If the selected cert is only usable for signing, but not for encryption,
it does not make even sense to display any message.
However, if the selected cert is usable for both purposes, we should ask
whether the user wants to use that newly selected cert for both purposes, and
I suggest we ask the user the following:
  "Do you want to use the same cert for receiving encrypted messages?
  Yes, No, Cancel."
If the user selects Yes, we will automatically configure the cert for the
other purpose, too.
If the user selects No or Cancel, we will leave the current configuration as is.
Note, that we should do another check before opening the message, we should
check whether the configured cert for the other purpose is already the same
cert. In that case, everything is fine already, and not prompts should be shown.


4.)
Sections 1-3 should also be done for the other direction.
I.e. if the user selects an encryption cert, we should also check for
the signing cert, and should show the approriate messages, as defined by 1-3.


Strings
=======
If you agree, I see the need for wordings like the following, which will be
dynamically combined by the code at runtime into the messages described above.

A) Note that before you can use digitally signing, you must also
   specify a cert that other people can use to send you encrypted email.

B) Note that before you can use email encryption, you must also
   specify a cert that can be used to digitally sign messages.

C) Do you want to use the same cert for receiving encrypted messages?

D) Do you want to use the same cert for digitally signing email messages?

E) Do you want to configure an encryption certificate now?

F) Do you want to configure a certificate for digitally signing messages now?
Status: NEW → ASSIGNED
If you agree, I want to implement the above, which will be easy to do.

I also suggest two more changes to the wordings of the dialog.

First, I suggest we display a message above the cert selection areas, as I
describe it in comment 8.

Second, I think we should enhance the wording in the Encryption box that is
currently "Use the following personal certificate".
I saw that people who understand email encryption were confused by that wording.
I suggest we use something like:
  "Certificate to be used for receiving encrypted messages from other people"

Based on kaie's suggestions, I'd like to propose the following text changes to
the Mail & Newsgroups Account Settings/Security panel:

New text at very top (below the Security heading):

"To send and receive signed or encrypted messages, you must specify both a
digital signing certificate and an encryption certificate."

Text before signatures cert field:

"Use this certificate to digitally sign messages you send:"


Text before encryption cert field:

"Use this certificate to encrypt & decrypt messages sent to you:"


Revisions for messages A-F proposed in comment 9:

A) Before you can digitally sign messages, you must also specify a certificate
for other people to use when they send you encrypted messages.

B) Before you can encrypt messages, you must also specify a certificate to use
for digitally signing your messages.

C) Do you want to use the same certificate to encrypt & decrypt messages sent to
you?

D) Do you want to use the same certificate to digitally sign your messages?

E) Do you want to configure an encryption certificate now?

F) Do you want to configure a certificate for digitally signing messages now?


Note that help buttons are due to reappear in the Mail & Newsgroup Account
Settings dialog (fix is part of bugzilla 129540). Help content for the security
panel is already in the builds, but needs updating for these UI changes.

Thanks Sean, I like your wordings, and I'll have a patch ready very soon.

But I just noted the following: For sending encrypted messages, we do not
require that a signature cert is selected.

I therefore suggest to change wording B into a recommendation:

B) Before you encrypt messages, you should also specify a certificate to use
for digitally signing your messages.

Does that sound ok?

Actually, because B) is no longer a requirement, I think the phrase "Before you"
is not required.

What about:

B) You should also specify a certificate to use for digitally signing your messages.

New wording looks fine to me.
Attached patch Suggested Patch (obsolete) — Splinter Review 
This patch implements the suggestion and uses Sean's wording.
Just FYI, the patch is incremental to the patch in bug 136948. Only to avoid
conflicting patches.

Comment on attachment 83798 [details] [diff] [review]
Suggested Patch

>+  if (!otherCertInfo.value.length) {
>+    if (matchingOtherCert) {
>+      var message = gBundle.getString(msgNeedCert) + " " + gBundle.getString(msgWantSame);
>+      userWantsSameCert = askUser(message);
>+    }
>+    else {
>+      var message = gBundle.getString(msgNeedCert) + " " + gBundle.getString(msgWantToSelect);
>+      if (askUser(message)) {
>+        smimeSelectCert(pref);
>+      }
>+    }
>+  }
This concatenation of message string may not fly with the localization camp.
I'm OK 
with this since these are 2 separate sentences, but I'm not sure what the 
localization people would think.

r=javi on everything else.
Attachment #83798 - Flags: review+
Attached patch Updated PatchSplinter Review 
My intention was to avoid duplicate strings in the string bundle.

But Javi explained me (thanks!), that the localization team rather prefers
those duplicates, because that way, they have an influence on the sentence
structure.

This new patch duplicates the strings in the bundle directly, no longer in the
code. No other changes.
Attachment #83798 - Attachment is obsolete: true
>At that time, we should not automatically check whether the (previously)
>configured certs are still available,
>because that might be slow, and it might to ask the user to log in to security
>devices, both software and hardware.

Patch looks good.  

I imagine we can fix the delete cert code in the cert manager to blank out the
prefs if the cert happens to be configured for signing/encrypting.  The user
needed to log into the devices to perform the delete anyway, and that is
probably the correct location to place the cleanup.

The same function could be called from within the reset master password function
as well...
Comment on attachment 83811 [details] [diff] [review]
Updated Patch

just a small question, can we call the const nsX509CertDB: nsX509CertDBProgID
or put the word ID in the variable name some where? That might make it easier
to recognize what it is when it's used in the code.

No need to submit a new patch if you decide to change the name of the variable.

code looks great.

sr=mscott
Attachment #83811 - Flags: superreview+
Had a chat with Scott, he told me that he meant ContractID, not ProgID.
Checked in with variable renamed to nsX509CertDBContractID.
Keywords: adt1.0.0
Marking fixed
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Verified on 20020520 Trunk Builds.  Please add the fixed1.0.0 keyword when this
has migrated to branch.
Status: RESOLVED → VERIFIED
adt1.0.0+ (on ADT's behalf) for approval to checkin to the 1.0 branch, pending
Driver's approval.  After, checking in, please add the fixed1.0 keyword.
Keywords: adt1.0.0adt1.0.0+
Blocks: 143047
changing to adt1.0.1+ for checkin to the 1.0 branch.  Please get drivers
approval before checking in.
Keywords: adt1.0.0+adt1.0.1+
Keywords: mozilla1.0.1
Attachment #83811 - Flags: approval+
please checkin to the 1.0.1 branch ASAP. once there please remove the
mozilla1.0.1+ keyword and add the fixed1.0.1 keyword.
Keywords: mozilla1.0.1mozilla1.0.1+
Checked in to branch
Keywords: fixed1.0.1
Keywords: adt1.0.1+, mozilla1.0.1+
*** Bug 148945 has been marked as a duplicate of this bug. ***
Verified on 20020606 Branch
Keywords: fixed1.0.1verified1.0.1
Product: PSM → Core
Product: Core → MailNews Core
QA Contact: carosendahl → s.mime
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: