Closed Bug 308857 Opened 20 years ago Closed 20 years ago

No confirmation dialog shown after installing personal cert

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 176507

People

(Reporter: sfraser_bugs, Assigned: KaiE)

Details

(Whiteboard: [kerh-eha])

When installing a personal cert (say, one that you've just generated at a CA site), we don't show any confirmation dialog that the cert has been installed. Because of this, many CA sites show a warning on the page --this from Thawte: "Note Netscape users: When fetch is clicked, nothing appears on the page, however the certificate is automatically downloaded into your browser." cacert.org says: "...if you are using mozilla/netscape based browsers you will not be informed that the certificate was installed..." It seems stupid that we just don't show a message that the cert was successfully installed. I'm not sure that we do even if the installation failed (like if you have the cert already).
The issue here is exacerbated by the fact that cert installation links sent by email (e.g. Thawte sends https://www.thawte.com/cgi/personal/cert/deliver.exe?serial=NNNNNNN) show a blank tab in the browser (with an empty, but secure-looking url bar) when clicked. It's not obvious that anything happend.
Once upon a time, PSM DID show a confirmation dialog, and CAs hated it. They expressed the strong desire to be able to supply their own web pages providing that confirmation, rather than using a browser dialog (which they felt most users didn't understand). So the dialog was intentionally removed. It is now the CA's responsibility to provide that info to the user. You've undoubtedly seen some web pages for downloading files that say "Your download should being in a few seconds. If it doesn't click here". Well that is the same thing that CAs are supposed to do to download the user's cert. The difference is merely the mime content type of the subsequent download.
(In reply to comment #2) > Once upon a time, PSM DID show a confirmation dialog, and CAs hated it. > They expressed the strong desire to be able to supply their own web pages > providing that confirmation, rather than using a browser dialog (which they > felt most users didn't understand). So the dialog was intentionally removed. > It is now the CA's responsibility to provide that info to the user. Is it possible for the CA to know if the cert was successfully installed? E.g. maybe the user failed to enter a correct password for the "Software security device", or the cert already exists. > You've undoubtedly seen some web pages for downloading files that say "Your > download should being in a few seconds. If it doesn't click here". Well > that is the same thing that CAs are supposed to do to download the user's cert. > The difference is merely the mime content type of the subsequent download. I've seen more pages that say "netscape shows no dialog" than those that provide their own UI. I think that if we came up with a dialog that has sensible wording, it would be acceptable to CAs.
In my opinion, user feedback is good. Not only because we tell the user, the download worked... I think an even better argument is, the user now owns a personal certificate (containing a precious private key) that is worth being saved on a backup media. Making the user aware of this new posession is a good thing, IMHO. It seems, there are several CAs who do not use the mentioned potential mechanism to provide additional user feedback. IMHO, these facts are good arguments to add the proposed user feedback. A possible way to please the CAs who hate the feedback and want to go the extra mile and suppress feedback in the client: introduce a new, special mimetype-variant, like "usercertificate-download-silent"
Blocks: 310446
Please see bug 310446 comment 4. I've produced a new patch that combines the various requests to give user feedback with certificate details.
Whiteboard: [kerh-eha]
Nelson, Mozilla.org people have requested in bug 176507 that we must give feedback to the user. This is considered a blocker for the Firefox 2 release. I'm marking this bug as a duplicate. *** This bug has been marked as a duplicate of 176507 ***
No longer blocks: 310446
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.