Closed Bug 1657588 Opened 4 years ago Closed 7 months ago

client certificate dialog: "cancel" should be "don't send a client certificate"

Categories

(Core :: Security: PSM, enhancement, P2)

Product:
Core
Component:
Security: PSM
Version:
Firefox 81
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1401466

People

(Reporter: david.balazic, Unassigned)

References

Details

(Whiteboard: [psm-backlog][psm-clientauth])

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0

Steps to reproduce:

  • have more than one (or at least one) personal certificate installed in Firefox
  • go to a website that uses client certificate authentication
  • in the "User Identification Request" dialog that pops up, click cancel

Actual results:

Firefox remembered the decision "user want to access this website without a client certificate".

Expected results:

Not the above. Cancel means "don't do stuff".

Ideas for solution:

  • in the list of choices (the installed certificates), add a new one: Access the website with no client certificate
    Then this choice can be remembered (or not, depending if the "Remember this decision" option is selected or not).

or

  • rename the "Cancel" button to "Use no client certificate", to match actual behavior

Note: this issue has been reported as bug 537103 11 years ago, but as per bug 634697 comment 51 I'm opening a new one.

The issue was observed in Nightly: 81.0a1 (2020-08-06) (64-bit)

Blocks: 634697
Component: Untriaged → Security: PSM
Product: Firefox → Core

I agree that "Cancel" is an unintuitive spelling for "Don't use a client certificate".

As noted in the old bug, the UI needs to support several use cases:

  • Access website with a specified certificate [e.g. use this identity]
  • Access website without providing any certificate [e.g. client certificate is optional]
  • Always ask which (of multiple) certificates when accessing website [e.g. want to choose identity for transaction]
  • Access website with "best" available certificate (don't ask)
  • Remember (or not) the choice
  • Forget any remembered choice [Situations/roles change]
  • Update remembered choice (e.g. Forget certificate selection & replace with a newer certificate)

One thing that's often forgotten is that old (e.g. expired/revoked) certificates are often retained in users' certificate storage after they've been replaced. This is because they may also be used for encryption (e.g. encrypted e-mail or files), and they must be available to read archived messages/files.

Thus, the default or "select one for me" choice should prioritize the newest valid and unexpired certificate. (But if all are expired, newest valid.) In any case, don't assume that only one certificate matching the selection criteria will be retained in the certificate store.

Severity: -- → N/A
Type: defect → enhancement
Priority: -- → P2
Summary: Client Certificate Authentication remembers decision when canceling → client certificate dialog: "cancel" should be "don't send a client certificate"
Whiteboard: [psm-backlog][psm-clientauth]
See Also: → 803975

As of (at least) Firefox v120 the button label says: Don't send a certificate

So the issue is resolved.

Status: UNCONFIRMED → RESOLVED
Closed: 7 months ago
Duplicate of bug: 1401466
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.