certificate manager: indicate when a certificate exists on multiple tokens
Categories
(Core :: Security: PSM, enhancement, P5)
Tracking
()
People
(Reporter: david.balazic, Unassigned)
References
Details
(Whiteboard: [psm-backlog])
Attachments
(2 files)
screenshot of issue
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0
Steps to reproduce:
Visit a website the uses client authentication.
Actual results:
The User Identification Request dialog lists one of installed certificates twice.
I checked in Settings / Certificate Manager and the certificate is listed only once there.
Expected results:
No doubles.
|
Reporter | |
Comment 1•4 years ago
|
||
|
||
Comment 2•4 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
|
|
Reporter | |
Comment 4•4 years ago
|
||
I don't know what those are and how to load them. Or list existing ones.
But about:config shows security.enterprise_roots.enabled is TRUE, if that helps.
|
||
Comment 7•4 years ago
|
||
In the certificate manager, what "security device" is the certificate on?
If you set security.osclientcerts.autoload to false in about:config, do you still see two copies of the certificate?
|
|
Reporter | |
Comment 8•4 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #7)
In the certificate manager, what "security device" is the certificate on?
OS Client Cert Token (Modern)
If you set
security.osclientcerts.autoloadtofalseinabout:config, do you still see two copies of the certificate?
No, now there is only one.
|
|
||
Comment 9•4 years ago
|
||
Presumably with security.osclientcerts.autoload as false, that certificate is listed as being on the "Software Security Device" in the certificate manager? If so, you can delete it and set security.osclientcerts.autoload to true (osclientcerts uses client certificates managed by the operating system, so it's actually more secure than also having a copy of your certificate in your Firefox profile).
|
|
Reporter | |
Comment 10•4 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #9)
Presumably with
security.osclientcerts.autoloadasfalse, that certificate is listed as being on the "Software Security Device" in the certificate manager?
Yes, it is.
With security.osclientcerts.autoload as true it shows, as said, "OS Client Cert Token (Modern)".
Why doesn't it it lists both of them? Is that a bug in the listing code?
At the very least, there is an inconsistency between the choser dialog and the settings table. One lists both (without marking the difference), the other lists only one (and listing the attribute that makes them different).
|
|
||
Comment 11•4 years ago
|
||
Listing the certificates twice in the user authentication dialog is a feature, not a bug - if a certificate exists on multiple tokens, using one token over another may be desirable. I imagine there should be a way to see when a certificate exists on multiple tokens in the certificate manager, though, so I'm going to morph this bug.
|
||
Comment 13•4 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #11)
Listing the certificates twice in the user authentication dialog is a feature, not a bug - if a certificate exists on multiple tokens, using one token over another may be desirable. I imagine there should be a way to see when a certificate exists on multiple tokens in the certificate manager, though, so I'm going to morph this bug.
So, the "fix" is only to mark the duplicates somehow to know where comes each certificate?
As i explain in the duplicate https://bugzilla.mozilla.org/show_bug.cgi?id=1723493, the main problem with this is when you work con tons of certificates. I have more or less one hundred in my work computer, both installed in the OS (Windows) and in Firefox, to compatibility reason with other apps. Every time i am prompted to use one, i have to search on a unsorted list for the name, but now i have to do it with twice the amount i have before.
I understand this was done for compatibility reasons, but it should be somehow to sort the list in a better way:
- An option to show or not duplicates.
- An option to show all stores, or a specific selected store.
- (The best IMHO) A way to enter some text and filter the list to show only the certificates with the matched text in Common Name, Organization Name, Surname, GivenName... This was asked before here https://bugzilla.mozilla.org/show_bug.cgi?id=1512476 and here https://bugzilla.mozilla.org/show_bug.cgi?id=1226520.
Thanks.
Description
•