Closed Bug 308857 Opened 19 years ago Closed 19 years ago

No confirmation dialog shown after installing personal cert

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 176507

People

(Reporter: sfraser_bugs, Assigned: KaiE)

Details

(Whiteboard: [kerh-eha]) 

When installing a personal cert (say, one that you've just generated at a CA
site), we don't show any confirmation dialog that the cert has been installed.
Because of this, many CA sites show a warning on the page --this from Thawte:

"Note Netscape users: When fetch is clicked, nothing appears on the page,
however the certificate is automatically downloaded into your browser."

cacert.org says:

"...if you are using mozilla/netscape based browsers you will not be informed
that the certificate was installed..."

It seems stupid that we just don't show a message that the cert was successfully
installed. I'm not sure that we do even if the installation failed (like if you
have the cert already).
The issue here is exacerbated by the fact that cert installation links sent by
email (e.g. Thawte sends
https://www.thawte.com/cgi/personal/cert/deliver.exe?serial=NNNNNNN) show a
blank tab in the browser (with an empty, but secure-looking url bar) when
clicked. It's not obvious that anything happend.
Once upon a time, PSM DID show a confirmation dialog, and CAs hated it.
They expressed the strong desire to be able to supply their own web pages 
providing that confirmation, rather than using a browser dialog (which they 
felt most users didn't understand).  So the dialog was intentionally removed.
It is now the CA's responsibility to provide that info to the user.  

You've undoubtedly seen some web pages for downloading files that say "Your
download should being in a few seconds.  If it doesn't click here".   Well
that is the same thing that CAs are supposed to do to download the user's cert.
The difference is merely the mime content type of the subsequent download.
(In reply to comment #2)
> Once upon a time, PSM DID show a confirmation dialog, and CAs hated it.
> They expressed the strong desire to be able to supply their own web pages 
> providing that confirmation, rather than using a browser dialog (which they 
> felt most users didn't understand).  So the dialog was intentionally removed.
> It is now the CA's responsibility to provide that info to the user.  

Is it possible for the CA to know if the cert was successfully installed? E.g.
maybe the user failed to enter a correct password for the "Software security
device", or the cert already exists.

> You've undoubtedly seen some web pages for downloading files that say "Your
> download should being in a few seconds.  If it doesn't click here".   Well
> that is the same thing that CAs are supposed to do to download the user's cert.
> The difference is merely the mime content type of the subsequent download.

I've seen more pages that say "netscape shows no dialog" than those that provide
their own UI. I think that if we came up with a dialog that has sensible
wording, it would be acceptable to CAs.
In my opinion, user feedback is good. Not only because we tell the user, the
download worked...

I think an even better argument is, the user now owns a personal certificate
(containing a precious private key) that is worth being saved on a backup media.
Making the user aware of this new posession is a good thing, IMHO.

It seems, there are several CAs who do not use the mentioned potential mechanism
to provide additional user feedback. 

IMHO, these facts are good arguments to add the proposed user feedback.

A possible way to please the CAs who hate the feedback and want to go the extra
mile and suppress feedback in the client:

introduce a new, special mimetype-variant, like "usercertificate-download-silent"
Blocks: 310446
Please see bug 310446 comment 4.

I've produced a new patch that combines the various requests to give user
feedback with certificate details.
Whiteboard: [kerh-eha]
Nelson, Mozilla.org people have requested in bug 176507 that we must give feedback to the user. This is considered a blocker for the Firefox 2 release. I'm marking this bug as a duplicate.

*** This bug has been marked as a duplicate of 176507 ***
No longer blocks: 310446
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.