Closed Bug 188571 Opened 22 years ago Closed 22 years ago

Cannot import personal cert from AOL phonebook

Categories

(Core Graveyard :: Security: UI, defect)

1.0 Branch
x86
Windows 2000
defect
Not set
normal

Tracking

(Not tracked)

VERIFIED INVALID

People

(Reporter: junruh, Assigned: KaiE)

References

()

Details

1.) Visit the inhouse site http://phonebook/ 2.) Lookup someone who has not sent you a signed email. 3.) Click on "Import Certificate". What happens: Nothing. What is expected. That the cert would appear in the Cert Manager in Other People's tab. FYI. The end of the line of code involved is: =userCertificate;binary&application/x-x509-email-cert&0"
I believe this is still the same cause that has been explained (by shadow) a while ago. Our corporate certs are dual key certs. The LDAP server stores both signing and encryption key. However, the phonebook site is not able to hand out both certs, nor is it aware of dual key certs at all. When you try to download, it will give you whatever cert happens to be stored first. If the cert you are getting is the signature cert, you won't see it in cert manager, because the other people's tab only displays other's encryption certs, not signature certs.
AH HA! So, mozilla only displays other people's encryption certs. That's not unreasonable, but I didn't know it before. Thanks for this good detective work, Kai! Even if mozilla showed me the other user's signature certs, it wouldn't do me any good. I couldn't send that user an encrypted message. I don't need a user's signature cert until I have something he signed, and that signature will liekly bring the signature cert with it. Clearly, phonebook should strive to always send out encryption certs, not signature certs. I wonder if shadow can fix that. So, when a server downloads a signature-only cert, what should mozilla do? Seems like it should do something to alert the user. Saying "this signature only cert does you no good" would be very helpful. But is it reasonable to ask mozilla to do that?
> I don't need a user's signature cert until I have something he signed, and > that signature will liekly bring the signature cert with it. Yes. I believe (hope) we don't store signature-only certs at all. For mail verification purposes it's enough to have such a cert in the particular message. < Clearly, phonebook should strive to always send out encryption certs, not < signature certs. I wonder if shadow can fix that. He said, the old phonebook system is no longer being maintained, so don't expect a fix. > So, when a server downloads a signature-only cert, what should mozilla do? > Seems like it should do something to alert the user. Saying "this signature > only cert does you no good" would be very helpful. But is it reasonable > to ask mozilla to do that? I'd personally say, this is a low priority item. Servers should not deliver such content. If they do, it doesn't cause any harm. Marking invalid because the original problem report is not a problem in the client.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
I disagree that it doesn't cause harm. It leads to user confusion and dissatisfaction, and ultmately it makes more support work for you and me.
Verified invalid.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.4 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.