Closed Bug 281539 Opened 20 years ago Closed 20 years ago

mozilla (and thunderbird) can't find certificate

Categories

(MailNews Core :: Security: S/MIME, defect)

Product:
MailNews Core
Component:
Security: S/MIME
Version:
Other Branch
Platform:
x86
FreeBSD
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: mozilla, Assigned: KaiE)

Details

Attachments

(2 files)

One of the messages mozilla refuses to load the cert from
5.72 KB, text/plain
Details
screen shot showing cert manager view of signer's cert
11.22 KB, image/gif
Details 
User-Agent:       Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20041216 Firefox/1.0
Build Identifier: Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.7.5) Gecko/20041216 Firefox/1.0

A co-worker sent me signed email using a standard assured (with his name in it)
thawte email certificate.  View Message Security Info is quite happy with it. 
When I reply, and select encryption, viewing security info for the reply says
"encryption not possible" because it has no cert, and sure enough, trying to
send it fails.  This happens in both mozilla 1.7.3 and thunderbird 1.0 on
FreeBSD.  I've not run into this before, but have only just got all my coworkers
to using certs, so haven't had the opportunity before.

Reproducible: Didn't try
This is now repeatable: mozilla, on both freebsd and windoze refuses to accept
my co-workers cert.  He's sending from windoze: User-Agent: Mozilla Thunderbird
1.0 (Windows/20041206)
This is the raw file out of the imap spool area
Update: Tim got a new cert from thawte and it works fine...
That cert only lists:
X509v3 Key Usage: critical
    Digital Signature
So maybe that cert is only for signing (note: I'm far from being an expert on
encryption,certs,etc.)?
Assignee: general → kaie
Component: General → S/MIME
Product: Mozilla Application Suite → PSM
QA Contact: general
Nelson: You can comment on Comment 4 from me (i think you know better what's
going on here than me :)?
Not all certificates are good for both signing and encryption.
Some certs are only good for one, some only good for the other.
The mere presence of a cert in a signed message does NOT necessarily
imply that you will be able to send an encrypted reply to it. 

When a person has a signature only cert, often he will also have a
separate encryption cert.  His email program should send BOTH certs
in any signed emails he sends, so that his recipient will be able
to validate the signature with the signature cert, and will be able
to send an encrypted reply with the encryption cert.

The message to which you were trying to reply had been signed with a 
certificate that is only useable for signing, not for encryption. 
It did not also contain an encryption cert.  So you only received his
signing cert.  It is not possible for you to send an encrypted email 
to that preson using only his signing-only certificate.  You need to 
have a copy of his encryption cert in order to send an encrypted 
message to him.  

When mozilla processes received smime emails, it examines each cert in 
the message and keeps the certs that are valid for encryption in your 
cert DB, so that you can use them to send encrypted emails.  
It does not keep certs that are valid only for signatures because 
a) you can only use them to validate signatures from that person, and
b) there will be a copy of the signature cert attached to every message
that is signed, so there's no need to find such a cert anywhere else.

So, it appears to me that mozilla worked properly and as intended 
with respect to thsi signed email and certificate.  
And So, I'm inclined to mark it invalid.

However, it *could* be the case that the cert displaying UI in FF doesn't
adequately display the fact that the cert is for signing only.  If so,
this bug could be morphed into a UI bug for FF security UI, asking FF
to make this point more obvious.  

I will do some testing and add another comment here.
This is how PSM's cert viewer displays the cert in Seamonkey on windows.
At the very top it lists the valid uses of the cert.  It lists only
signing, not encryption.  

Perhaps this UI could be displayed by always displaying a box for each
recognized usage, and saying explicitly whether the cert is or is not
allowed for each one.  Perhaps that would better call attention to the
absence of encryption permission in the cert.  But it would take more
real estate.
Ok, so somehow Thawte gave out some bogus cert to that user. Well, not our
problem for now ;), also Reporter wrote requesting a new cert produced a valid cert.
That does appear to be the case; having the UI note such cases would be helpful,
though I'd sure like to know why Thawte generated such a cert.  Have to take
that up with them though.  Thanks for the explanation!
Marking invalid.  No bug in mozilla was shown.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → INVALID
Product: PSM → Core
Product: Core → MailNews Core
QA Contact: s.mime
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: