Closed Bug 384611 Opened 16 years ago Closed 7 years ago

Bring back the purposes column in cert manager


(Core :: Security: PSM, enhancement)

Not set





(Reporter: KaiE, Unassigned)



In bug 383969 we removed the purposes column from cert manager.
We did so, because in order to provide the contents for the purposes column, a CertVerify call must be used, which can take too much time with OCSP enabled.

Globally disabling OCSP (while building cert manager info) is no longer an option. This can affect verification on other threads.

The idea to temporarily disabling OCSP for the duration of the function call on the caller thread was not accepted, and it's said to have potential other problems (bug 383963).

So, how could a better solution work?

The purposes column could initially be left empty, or filled with a "pending" text. A separate thread could be started to fetch verification information (including the OCSP response) on a separate thread. The UI could get updated as information comes in.

But is it really a good idea to do verification+OCSP for all the certs someone might own, each time they open cert manager? This causes additional network traffic. A user might be on a slow connection. The user might be offline...!

There are two variations of this idea.

First, the UI could have an additional button, which triggers verification for all certs on demand. Only after the user presses the button then cert manager would start the additional thread to verify and obtain OCSP status.

Second, in order to minimize the traffic, we could do a scan through all the certs and group certs by OCSP responder. A single OCSP request (for multiple certs) for each unique responder might be sufficient with that approach. But this would require that cert manager starts calling OCSP on its own (it doesn't currently), or that NSS offered such a new functionality to operate like that on a list of certs.

While these are all great ideas, it is quite a bit of work to implement them.

Note that in cert manager you can always manually request detailed information about a cert by using the "view" button.
Depends on: 383969
reassign bug owner.
Assignee: kaie → nobody
I'm not convinced this is useful to enough users to justify the effort (particularly when the certificate viewer does display this information).
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.