Closed Bug 154274 Opened 22 years ago Closed 22 years ago

When signing/encrypting certificate is pre-configured, provide ability to lock associated elements in Security Panel

Categories

(SeaMonkey :: MailNews: Account Configuration, defect)

Product:
SeaMonkey
Component:
MailNews: Account Configuration
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
mozilla1.0.1

People

(Reporter: racham, Assigned: racham)

References

Details

(Whiteboard: [adt3 RTM] [ETA 06/28])

Attachments

(1 file)

patch, v1.0
3.91 KB, patch
racham
: review+
mscott
: superreview+
Details | Diff | Splinter Review 
ISPs and vendros can lock 2 certificate selection buttons on the security panel
(in AccountManager) for a given new profile. This will make the panel locked
since those buttons are starting points on that panel. However, if the cert is
selected, user is allowed to change choices like whether or not to sign or
encrypt. I think it will be better if we can go to the granularity of providing
ISPs/vendors to lock  the sign/encrypt options also. This would be important in
cases where Administrators would not want any of users to send any mails without
signing/encryption.

Patch coming up....
Status: NEW → ASSIGNED
Summary: Existing profile's security panel items should locked too → Existing profile's security panel items should be locked too
Attached patch patch, v1.0Splinter Review 

    
    

    
  
Here are the relavant prefs that need to be added to the prefs file from which
config file is generated.

1. lockPref("mail.identity.id8881.signingCertSelectButton", true);           
// Security Panel - disable button that allows user to select signing cert. 

2. lockPref("mail.identity.id8881.encryptionCertSelectButton", true);           
// Security Panel - disable button that allows user to select encrypt cert.  

3. lockPref("mail.identity.id8881.sign_mail", false);         
// Security Panel - lock the choice of sending mails with/without signing

4. lockPref("mail.identity.id8881.encryptionpolicy", 0);         
// Security Panel - lock and the choice of encryption policy : 0 - Never
encrypt, 2 - Always encrypt


Keywords: nsbeta1

    
  
QA Contact: nbaca → rvelasco
Target Milestone: --- → mozilla1.0.1

    
    

    
  
Comment on attachment 89183 [details] [diff] [review]
patch, v1.0

sr=mscott

        Attachment #89183 -
        Flags: superreview+

    
    

    
  
Comment on attachment 89183 [details] [diff] [review]
patch, v1.0

Navin has given r=.
r=naving.

        Attachment #89183 -
        Flags: review+

    
    

    
  
Changing summary to reflect that locking that can be done when certificates are
pre-configured.
Summary: Existing profile's security panel items should be locked too → When signing/encrypting certificate is pre-configured, provide ability to lock associated elements in Security Panel

    
    

    
  
Fix landed on the trunk.

Thanks for the reviews.
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED

    
  
Keywords: adt1.0.1

    
  
Keywords: mozilla1.0.1

    
  
Blocks: 143047
Keywords: nsbeta1approval, 
          
            nsbeta1+
Whiteboard: [adt3 RTM] [ETA 06/28]

    
    

    
  
Q: when certificate is pre-configured and locked, how do we upgrade users'
certificates?

    
    

    
  
the subject name/nickname of a certificate can be the same for subsequent
certificates from the same issuer.  The application would automatically choose
the most recently issued certificate with the nickname specified in the
signing/encryption cert prefs.

If the nickname for the renewal cert is different, then you're right, the user
will run into a problem. Moreover, if the sign/encrypt preferences are also
locked, then the user will not be able to send any mail for examaple if he must
sign and the signing cert has expired.

    
    

    
  
When it's time to upgrade with a different nick name, they should change
"mail.identity.<id key>.encryption_cert_name" and/or 
"mail.identity.<id key>.signing_cert_name" to pick up the new one. I think that
should just work fine. 

Administrators/ISPs have to choose a right schema of locking here i.e., the one
that fits their organization better. 

* When they want user to use only one certificate and always sign, set those
prefs and lock them all.

* When they want users to use only one certificate and give option to user about
signing mails, then lock only the cert select button and the cert name prefs.

* When they want users to use mutlitple certs, they can't really lock any of the
items as users may want mix&match the combination of certs and the choices
(about sending mails digitally signed).

The patch in here provides flexibility for all kinds of scenarios. I just need
to get driver's approval on this one now for branch checkin. As this is already
on the trunk, I will talk to Rodney to verify this one.


    
    

    
  
verified on linux trunk builds 2002062708 this will probably be a documented
feauture for factory.
Status: RESOLVED → VERIFIED

    
    

    
  
adt1.0.1- per the ADT. let's get it in the next release. should you disagree
with the minus, pls remove the minus, leaving adt1.0.1 in the keywords, then
send an email to Drivers' and ADT for approval.
Keywords: adt1.0.1adt1.0.1-
Product: Browser → Seamonkey

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: