Closed Bug 281811 Opened 20 years ago Closed 16 years ago

Need display of monetary transaction value limit

Categories

(Firefox :: General, enhancement)

Product:
Firefox
Component:
General
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX
Milestone:
Future

People

(Reporter: varga.viktor, Unassigned)

References

(Depends on 1 open bug)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.5) Gecko/20041110 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.7.5) Gecko/20041110 Firefox/1.0

There was a bug report here:
https://bugzilla.mozilla.org/show_bug.cgi?id=277797

To handle this type of certificate, an UI is needed too.
Please read the that bug, it is describe the whole problem

Reproducible: Always

Steps to Reproduce:

Actual Results:  
This time, the certificate unimportable into the Mozilla product line. (Same
problem in Firefox,Mozilla, Thunderbird)

Expected Results:  
There should be an Ui to handle this.

This problem will be more general, if the electric signing going to be more
popular in the EU. This extension is included in an EU recommendation.
Cross this bridge when we come to it.  From the look of the NSS bug this is
going to be a while.
Assignee: firefox → nobody
Status: UNCONFIRMED → NEW
Depends on: 277797
Ever confirmed: true
OS: Windows XP → All
Hardware: PC → All
Target Milestone: --- → Future
Viktor Varga,  This enhancement request doesn't describe what is needed
or wanted in the UI.  Please explain.
(In reply to comment #2)
> Viktor Varga,  This enhancement request doesn't describe what is needed
> or wanted in the UI.  Please explain.

This certfificate feature includes some statements and a value.

If a certificate uses this type of feature, the UI should display something like
the other certificate alerts.

In my opinion, at first, when somebody imports a certificate with this extension
, that is enough, if you give a pop-up window with the statements, and two
options, "I agree, import it." ,  "I dont agree, forget it."
This statements are predefined by the ETSI, and the EU recommendations, so the
are translatble to local languages too. 
In one of these statements there is a money value too, which should be displayed
 on this pop-up.

On other opinions, it is not enough to display this at the import, this money
value should displayed somewhere in the browser, when a certificate with this
type is used.

Who can decide it which is the correct way.

The problem is behind this, if you set this value critical, a program must
handle this feature to use it. But how can you handle the value of the browsing?
Or sending an email? You can only display it or giving an API to the Java/script
programs to handle this value, if they want.



(In reply to comment #2)
> Viktor Varga,  This enhancement request doesn't describe what is needed
> or wanted in the UI.  Please explain.

I am thingking on the possibilities, and i have some ideas:
a) putting the statement value into the status line
b) i saw sometimes, there is a popup blocker, which send a message to me, if it
is blocked a poup window. maybe this feature is usable for this purpose

Any other idea?
Checking the following RFCs, this extension is not needed to set it to critical.

So, if we set this extension NOT CRITICAL, it is a good solution.


None of the softwares handling this extension, and it is hard to determine a financial value for an email or a site.

(This extension is more like a part of an EULA, than a realy usable extension, and mostly needed for the lawyers, because the closing out value, than the applications.)

So the fast and simple souliton:
NOT RECOMMENDED TO SET THIS EXTENSION TO CRITICAL.

Maybe this bug request is closable, because it is solvable in a different way. (Set it not to critical.)




Victor, you seem to be suggesting that the solution is that all certs 
issued with this cert extension should mark the extension as non-critical.
But is that what European CAs are going to do?  
Are they going to typically mark this extension non-critical?
Are any European CAs now issuing certs with the extension marked critical?
Is there really no further need for mozilla & NSS to handle this extension?
Summary: Needing an UI for a certificate feature → Need display of monetary transaction value limit
(In reply to comment #6)
> Victor, you seem to be suggesting that the solution is that all certs 
> issued with this cert extension should mark the extension as non-critical.
> But is that what European CAs are going to do?  
> Are they going to typically mark this extension non-critical?
> Are any European CAs now issuing certs with the extension marked critical?
> Is there really no further need for mozilla & NSS to handle this extension?

By the RFC and by the ETSI it not needed to mark it as critical. The only thing what the RFC says, that these statements should be marked together.

The practise is that this is not marked critical.
(If there is any, which wants to work with the Mozilla product line, here should be more than one bug request in bugzilla. Because this extension isnot supported now from any browser, it is a good decision from the other CAs.)

If you see some of the Qualified certificates, which are given by CAs, a some of them are breaking the RFC because another incompatibility.
The qualified certificate should have NonRep bit only, but most of the softwares needs nowadays the DigSig bit to use a certificate for signing.
Just FYI, the Swiss regulatory frameworks currently mandatorily ask for the qc-statement to be "critical", but they might reconsider for the next version of the decree/ordinance.
Thank you for the info.

I thought on this bug, and I think it is much more a pfilosophical bug than a real. Maybe we shoudl close it.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.