Signed xpi test showing success in error

NEW
Assigned to

Status

16 years ago
3 years ago

People

(Reporter: agracebush, Assigned: samir_bugzilla)

Tracking

Trunk
x86
Windows XP

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

16 years ago
Steps to reproduce:
using build 2003022108

run test for signed-badca.xpi
cert is not displayed but dialog returns 'success' -
(Reporter)

Comment 1

16 years ago
-> dougt
Assignee: dveditz → dougt

Comment 2

16 years ago
dan, terry, mitch --

Consider the case when a user downloads a software install that is signed but
the CA isn't present in that user's database.  Should we just treat this install
as "unsigned" or should we treat this install as "broken".  
I say we warn, but allow. Maybe bring up a dialog mentioning the signer and the
CA, and saying that this is not a CA that we trust, but allow the option to
continue with the install.

Comment 4

16 years ago
I agree.  In general we allow the user to proceed with an operation after 
warning them that the security checks have failed.  For SSL they can accept an 
untrusted host certificate.  For S/MIME they can read and act on an email 
message even though the signature is broken.

We should warn the user that the signer's certificate can not be validated and 
allow them to continue with the installation.

Comment 5

16 years ago
currently, we say that the install "unsigned". 
It's not quite the same as unsigned - can we add dialog text specifically for
the "invalid CA" case?

Comment 7

16 years ago
i agree that the application should have a dialog and overall better UI in
regards to signed installs.  over to samir.
Assignee: dougt → sgehani
QA Contact: agracebush → xpi-engine
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.