Display OpenVPN certificate expiry and revocation status on login.mozilla.com

NEW
Unassigned

Status

3 years ago
6 months ago

People

(Reporter: emorley, Unassigned)

Tracking

Details

(Reporter)

Description

3 years ago
In bug 1289031 there were UX issues relating to expired/revoked OpenVPN certificates (see bug 1289374 for more details).

It would be really helpful if https://login.mozilla.com/ did the following:
1) On the openvpn section, display the cert's expiry date, next to the cert fingerprint
2) On the openvpn section, display the cert's revocation status
3) If the expiry date is in the past or the cert is revoked, add a warning to the openvpn section and possibly also the dashboard landing page


It would also be ideal if the user were emailed if their cert is about to expire (or has been revoked), but that's probably fodder for another bug.

Thanks :-)

Comment 1

6 months ago
Transferring notes over from bug 1289374 because I'm closing that, but it has items that are in the login.m.c wheelhouse that shouldn't get lost.

(In reply to Ed Morley [:emorley] from comment #0)
> 1) On the openvpn section, display the cert's expiry date, next to the cert
> fingerprint

This was done in the last release.
Optional RFE: color changes/indications in the text for "expires in the next month"/"has expired".

> 2) On the openvpn section, display the cert's revocation status
> 3) If the expiry date is in the past or the cert is revoked, add a warning
> to the openvpn section and possibly also the dashboard landing page

With the certificate appliance changing, this may change what is available at all.

Unsure what the revocation experience is like in the new release, whether the cert just disappears, or any indication of a revocation is present.  Since login.m.c is effectively the source of truth on the user cert, I think it would be fair for a revoked cert to disappear and become unavailable, but there may be an opportunity for a side link around viewing your revoked fingerprints, for auditing the past.

I'm unclear what a good option here would look like, so I'm noodling out loud.

> It would also be ideal if the user were emailed if their cert is about to
> expire (or has been revoked), but that's probably fodder for another bug.

I believe mail for revocations/generations would be excellent for operational security, and impending-expiring-certificate would be good for user experience.  This also will need consideration as part of the Wifi project, also under the login.m.c umbrella.

Considering we're about to have a refresh of configs and certificates, this probably has a few years before expiration becomes an issue, while revocations could be needed 'sooner'.
QA Contact: rtucker
You need to log in before you can comment on or make changes to this bug.