Web site certificate trust and CA certificate trust for www.bookmarksonline.org are mutually exclusive



Core Graveyard
Security: UI
11 years ago
2 years ago


(Reporter: Miriam Frenay, Unassigned)


Firefox Tracking Flags

(Not tracked)




11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 Firefox/
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20070309 Firefox/

Editing the CA Trust settings for www.bookmarksonline.org, which certificate I know to have expired on 10/4/2007, resets the trust settings for the web site certificate to not trust its authenticity. An attempt to fix this by editing the web site trust settings again then clears the trust settings for the corresponding CA.

Reproducible: Always

Steps to Reproduce:
1. Open https://www.bookmarksonline.org/
2. In the dialog that appears click Continue.
3. In the following dialog, choose "Accept this certificate permanently" and click OK.
4. Go to Tools -> Options -> Advanced -> Encryption -> View Certificates -> Web Sites.
5. Select the certificate for www.bookmarksonline.org and click Edit.
6. Click "Edit CA Trust".
7. Check "This certificate can identify web sites." and click OK.
8. Click Edit again and notice that "Do not trust the authenticity of this certificate." is now selected.
9. Select "Trust the authenticity of this certificate.", and click OK.
10. Again, click Edit, followed by "Edit CA Trust". Notice that the checkbox that was checked in step 7 is now cleared.
Actual Results:  
Trusting the Certificate Authority clears the trust settings for the web site, and vice versa.

Expected Results:  
It should be possible to set the trust settings for the web site and the CA seperately.

I noticed that the behavior for www.bookmarksonline.org's certificate is a bit strange compared to others. When I click "Edit CA Trust" in the "Edit web site certificate trust settings" dialog, the "Edit CA certificate trust settings" replaces the former. Recognizing the issuer stated in the former dialog as an LDAP DN, I noticed that its structure is unusual as it starts with an email addres instead of the CN or OU. What's more, the CN is the same as the domain name, which is what I suspect Firefox is having a problem with.
confirmed with Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9a4pre) Gecko/2007042104 Minefield/3.0a4pre and Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv: Gecko/2007042004 BonEcho/

Also with a second Web Certificate 
Ever confirmed: true
Version: unspecified → 2.0 Branch
Assignee: nobody → kengert
Component: Preferences → Security: UI
Product: Firefox → Core
QA Contact: preferences → ui
Version: 2.0 Branch → 1.8 Branch
Version: 1.8 Branch → unspecified

Comment 2

6 years ago
reassign bug owner.
Assignee: kaie → nobody
We removed the "Edit CA Trust" button.
Last Resolved: 2 years ago
Resolution: --- → INVALID


2 years ago
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.