Closed
Bug 188571
Opened 22 years ago
Closed 22 years ago
Cannot import personal cert from AOL phonebook
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
VERIFIED
INVALID
People
(Reporter: junruh, Assigned: KaiE)
References
()
Details
1.) Visit the inhouse site http://phonebook/
2.) Lookup someone who has not sent you a signed email.
3.) Click on "Import Certificate".
What happens: Nothing.
What is expected. That the cert would appear in the Cert Manager in Other
People's tab.
FYI. The end of the line of code involved is:
=userCertificate;binary&application/x-x509-email-cert&0"
Assignee | ||
Comment 1•22 years ago
|
||
I believe this is still the same cause that has been explained (by shadow) a
while ago.
Our corporate certs are dual key certs. The LDAP server stores both signing and
encryption key. However, the phonebook site is not able to hand out both certs,
nor is it aware of dual key certs at all. When you try to download, it will give
you whatever cert happens to be stored first. If the cert you are getting is the
signature cert, you won't see it in cert manager, because the other people's tab
only displays other's encryption certs, not signature certs.
Comment 2•22 years ago
|
||
AH HA! So, mozilla only displays other people's encryption certs.
That's not unreasonable, but I didn't know it before.
Thanks for this good detective work, Kai!
Even if mozilla showed me the other user's signature certs, it wouldn't do
me any good. I couldn't send that user an encrypted message.
I don't need a user's signature cert until I have something he signed, and
that signature will liekly bring the signature cert with it.
Clearly, phonebook should strive to always send out encryption certs, not
signature certs. I wonder if shadow can fix that.
So, when a server downloads a signature-only cert, what should mozilla do?
Seems like it should do something to alert the user. Saying "this signature
only cert does you no good" would be very helpful. But is it reasonable
to ask mozilla to do that?
Assignee | ||
Comment 3•22 years ago
|
||
> I don't need a user's signature cert until I have something he signed, and
> that signature will liekly bring the signature cert with it.
Yes. I believe (hope) we don't store signature-only certs at all. For mail
verification purposes it's enough to have such a cert in the particular message.
< Clearly, phonebook should strive to always send out encryption certs, not
< signature certs. I wonder if shadow can fix that.
He said, the old phonebook system is no longer being maintained, so don't expect
a fix.
> So, when a server downloads a signature-only cert, what should mozilla do?
> Seems like it should do something to alert the user. Saying "this signature
> only cert does you no good" would be very helpful. But is it reasonable
> to ask mozilla to do that?
I'd personally say, this is a low priority item. Servers should not deliver such
content. If they do, it doesn't cause any harm.
Marking invalid because the original problem report is not a problem in the client.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
Comment 4•22 years ago
|
||
I disagree that it doesn't cause harm. It leads to user confusion and
dissatisfaction, and ultmately it makes more support work for you and me.
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•