client certificate dialog: "cancel" should be "don't send a client certificate"
Categories
(Core :: Security: PSM, enhancement, P2)
Tracking
()
People
(Reporter: david.balazic, Unassigned)
References
Details
(Whiteboard: [psm-backlog][psm-clientauth])
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
Steps to reproduce:
- have more than one (or at least one) personal certificate installed in Firefox
- go to a website that uses client certificate authentication
- in the "User Identification Request" dialog that pops up, click cancel
Actual results:
Firefox remembered the decision "user want to access this website without a client certificate".
Expected results:
Not the above. Cancel means "don't do stuff".
Reporter | ||
Comment 1•4 years ago
|
||
Ideas for solution:
- in the list of choices (the installed certificates), add a new one: Access the website with no client certificate
Then this choice can be remembered (or not, depending if the "Remember this decision" option is selected or not).
or
- rename the "Cancel" button to "Use no client certificate", to match actual behavior
Note: this issue has been reported as bug 537103 11 years ago, but as per bug 634697 comment 51 I'm opening a new one.
Reporter | ||
Comment 2•4 years ago
|
||
The issue was observed in Nightly: 81.0a1 (2020-08-06) (64-bit)
Updated•4 years ago
|
I agree that "Cancel" is an unintuitive spelling for "Don't use a client certificate".
As noted in the old bug, the UI needs to support several use cases:
- Access website with a specified certificate [e.g. use this identity]
- Access website without providing any certificate [e.g. client certificate is optional]
- Always ask which (of multiple) certificates when accessing website [e.g. want to choose identity for transaction]
- Access website with "best" available certificate (don't ask)
- Remember (or not) the choice
- Forget any remembered choice [Situations/roles change]
- Update remembered choice (e.g. Forget certificate selection & replace with a newer certificate)
One thing that's often forgotten is that old (e.g. expired/revoked) certificates are often retained in users' certificate storage after they've been replaced. This is because they may also be used for encryption (e.g. encrypted e-mail or files), and they must be available to read archived messages/files.
Thus, the default or "select one for me" choice should prioritize the newest valid and unexpired certificate. (But if all are expired, newest valid.) In any case, don't assume that only one certificate matching the selection criteria will be retained in the certificate store.
Updated•4 years ago
|
Reporter | ||
Comment 6•7 months ago
|
||
As of (at least) Firefox v120 the button label says: Don't send a certificate
So the issue is resolved.
Updated•7 months ago
|
Description
•