Closed Bug 380605 Opened 19 years ago Closed 10 years ago

17 warnings when downloading this CA cert

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1257403

People

(Reporter: nelson, Unassigned)

References

(
URL
)

Details

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a4pre) Gecko/20070418 SeaMonkey/1.5a When I try to download and install a new root CA cert, I am presented with a dialog saying: Alert! This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved. [ OK ] When I click OK, the dialog immediately reappears. I must click OK many times before it goes away and stays away. For the URL cited above, I must dismiss the dialog 17 times. Another odd thing is that, despite the statement that the cert will not be imported, it actually IS imported. Steps to reproduce: 1. Go to http://dodpki.c3pki.chamb.disa.mil/rootca.html 2. Find the link that says: Download Class 3 Root CA Certificate. That is a link to: http://dodpki.c3pki.chamb.disa.mil/rel3_dodroot_1024.cac Click on that link. 3. The "Downloading Certificate" Dialog box appears. Make sure all 3 check boxes in the dialog are UNCHECKED, and click OK. 4. Then the warning dialog appears for the first time. 5. Click OK 17 times. Expected behavior: same as above except for steps 4 and 5. If it really is trying to import 17 certs, it ought to SHOW information about each one, so that the user will know which certs will not be imported.
The above URL downloads a PKCS#7 signed data file containing 12 certs, a root CA and 11 subordinate intermediate CA certs. I'd guess that there is one dialog being issued for each of the subordinate certs, except that more dialogs appear than certs in the PKCS#7 file.
Summary: must dismiss warning 17 times when downloading this CA cert → 17 warnings when downloading this CA cert
Blocks: 107491
fwiw, a year or two ago i was presented w/ a dialog chain like this for restoring backups on a device. basically for each of an unknown number of files you were offered to replace or not replace the file. there could be 500+ dialogs. I'd request that we create a "database" source parallel and equivalent to the "real/normal" database, and then let the user browse it the same way the user can browse the real database [tools>options>advanced>encryption>view certificates]. You'd see something like: [o_Certificate Manager_______________________________________[_][=]_[x] /Your_Certificates\/People\/Servers\/Authorities\/Others\/=Importable=\ |---------------------------------------------------------------------| | The file <url> contains the following importable certificates | | Certificate name | Expires on | Problem | Issuer | ................ | | {certificates listed, with tree, etc} | | [ View ] [ Edit ] [ Import ] [ Export ] [ Delete ] | | [ OK ] | View would let you view the selected certificate (just like in other tabs), Edit would let you edit the trust settings (to use when importing; the same trust settings/behavior as in other tabs, except this is applied to certificates that are not yet imported) Import would import the select certificates Export would let you export the selected certificates (just like in other tabs) Delete would remove the selected certificates from the list (just like in other tabs) Clicking OK would result in the remaining certificates not to be imported. Ideally certificates i can't import because of problems are visually distinct (italics, gray, ...). Note: it should always be possible to export the certificates (even if they're invalid), if I want to explain to someone that a certificate I'm trying to load doesn't work, I should be able to get a single file w/ just the one certificate and send it to someone asking what's wrong with it.
reassign bug owner. mass-update-kaie-20120918
Assignee: kaie → nobody
This won't happen when we don't verify CA certs when importing.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.