Closed
Bug 274616
Opened 20 years ago
Closed 14 years ago
cannot import received smime certificates
Categories
(Thunderbird :: Mail Window Front End, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 209182
People
(Reporter: olaf.schlueter, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:1.7.5) Gecko/20041122 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:1.7.5) Gecko/20041122 Firefox/1.0
There is no visible way in thunderbird to import an encryption certificate
received with a signed smime message into the certificate store for later
delivery of encrypted messages back to the sender.
If the signer certificate is not trusted (it is not signed by an already
configured CA) there is no visible way to change that. Thus it is impossible to
accept self-signed certificates.
Reproducible: Always
Steps to Reproduce:
1. Open a signed smime message received from another user with a certificate
either self-signed or issued by an untrusted CA.
Actual Results:
The signed indication in the message window displays a broken signature.
Double-clicking on it explains that the reason for the broken signature is an
untrusted signer certificate. No options are displayed to change the trust
setting. No option is displayed to export the signer and/or encryption
certificate contained in the message.
Expected Results:
Offer a button to accept the certificate as trusted.
Offer a button to export and/or install the certiciates (at least the encryption
certificate) into the personal certicate store
|
||
Comment 1•20 years ago
|
||
I bet Nelson can explain why this is, or if it's a bug.
|
||
Comment 2•20 years ago
|
||
Seamonkey has this same problem. I think there's an open bug about that
(for seamonkey) but it's not showing up in my searches at this time.
We don't automatically import (much less trust) certs that come along with
an S/MIME message unless they can be validated using a known and trusted
cert (typically a trusted root). If we did automatically import unvalidated
(or invalid) certs, that would make the program (be it seamonkey or tbird)
vulnerable to various known attacks. So, user decision is required to
import unvalidated certs.
So, I agree with Olaf that the UI that displays a peer's cert chain,
whether an SSL server's cert chain or an S/MIME email cert chain, should
also let the user choose to import any cert in that chain, and should also
allow the user to edit the trust on any imported cert in that chain.
I'd suggest that the UI to do this be part of the "detailed view" of the
individual cert.
One more point here. An email message can contain multiple cert chains:
a signature cert chain (which validates the signature on the email) and
an encryption cert chain (with which the recipient can send back an
encrypted reply). I believe that, at present, the cert chain viewing UI
for email only shows the signature chain. But generally speaking, we never
want to import certs fro the signature chain (unless they happen to also
be part of the encryption chain). We only want to import certs from the
encryption chain. Now, if (as is very often the case) the signer's
signature cert is also his encryption cert (implying that the signing and
encryption chains are the same chain), then displaying the signature
chain also could (and should, IMO) provide the viewer with the opportunity
to import and/or trust any certs in that chain. But if the message has
only a signing chain (which is not also an encryption chain), or if the
message has separate signing and encryption chains, then IMO the UI should
NOT give the user the chance to import the certs in the signing chain, but
only the certs in the encryption chain. And presently, AFAIK, there is no
UI to view the encryption chain - only the signing chain. Seems like the
cert chain viewing UI code should be able to be reused for both purposes,
signing and encryption chain viewing. But there's no way now (AFAIK) for
the user to say "show me the encryption chain".
So, I'd say that there's a bunch of work for someone to do in the email
clients' UI, adding a way to view encryption chain, adding a way to import
each cert in the chain (individually), and adding a way to edit the trust
on imported certs (only) in the chain. And I'd hope that would be done
for both seamonkey and TBird.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Updated•18 years ago
|
QA Contact: front-end
|
||
Comment 3•17 years ago
|
||
I have had the same issue trying to install certificates received from thawte.com
Thawte utilizes Verisign-based software and is a recognized cert authority. Thawte offers free public/private keys for email signing and encryption.
Installed without issue in outlook and navigator 7.2 but not into t'bird.
Vista H.P., t'bird 2.0.0.14
|
||
Updated•17 years ago
|
Assignee: mscott → nobody
|
||
Updated•15 years ago
|
Component: Mail Window Front End → Import
OS: Windows 2000 → All
Product: Thunderbird → MailNews Core
QA Contact: front-end → import
|
||
Comment 4•14 years ago
|
||
Wayne this would fall into Thunderbird UI -> PSM integration.
Component: Import → Mail Window Front End
Product: MailNews Core → Thunderbird
QA Contact: import → front-end
|
||
Comment 5•14 years ago
|
||
Appears to be a duplicate of bug #209182, which hasn't seen much activity lately.
|
|
||
Comment 6•14 years ago
|
||
(In reply to comment #5)
> Appears to be a duplicate of bug #209182, which hasn't seen much activity
> lately.
I agree.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•