Closed
Bug 455661
Opened 16 years ago
Closed 8 years ago
Ask user to confirm before deleting a personal certificate
Categories
(Core :: Security: PSM, enhancement)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: erick.fauquette, Unassigned)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080916043910 Minefield/3.1b1pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080916043910 Minefield/3.1b1pre Deleting certificates using "Tools > Options > Advanced > View Certificates > You certificates > Delete" erase the certificates on your smart card. This is done without any warning message (should be a minimum) Reproducible: Always Steps to Reproduce: 1.Select Tools > Options > Advanced > View Certificates > 2.Enter your smart card code pin 3.Select Your Certificates 4. Select certificates and then click on Delete Actual Results: Erase certificates on the smart card Expected Results: Only manage relation between certificates contain in the smart card and the browser, without any action on the smart card. We reproduce this on an other PC. As we use the "smart card reader" DLL there is no restriction.
|
||
Updated•16 years ago
|
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
|
||
Comment 1•16 years ago
|
||
I don't view this as a bug, but this is what I'd expect. The certificate is correctly marked as the smart card device and/or software device. A warning about deleting a certificate appears in any case. Deleting a certificate from either device can't be reversed.
|
Reporter | |
Comment 2•16 years ago
|
||
This certificate is also used to get access to my PC. Normally there is an Administrator password to mange certificate on the smart card Firefox only ask for the owner password to view certificates and authorize deleting without any more question... So I destroy my certificates without knowing that I was erasing my smart card. So as I say before tat a minimum we need a comprehensive warning explaining that the smart card will be erased, the best should be to ask the administrator password. By the way, my opinion is that it is not the job of the browser to manage certificates on the smart card. It seems to me to risk doing that. If I have done this erasing out of my office I had to wait my return to be able to work again with my PC.
|
||
Comment 3•16 years ago
|
||
I think it would be a good idea to ask the user for confirmation before finally deleting a personal certificate (with private key). We cold remind them about consequences and the option to create a backup before deleting.
Assignee: kaie → nobody
Severity: critical → enhancement
Summary: Smart card Certificate erasing → Ask user to confirm before deleting a personal certificate
|
|
||
Updated•16 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
Reporter | |
Comment 4•16 years ago
|
||
For software certificates I agree. For smart card certificate, a normal user is not able to write on the smart card. So if he erase the certificate he have to call is security manager to recreate the certificates on the smart card. So I suggest that on smart card the erasing of certificates should be at least more difficult (asking for administrator password for example) or impossible.
(In reply to Kai Engert (:kaie) from comment #3) > I think it would be a good idea to ask the user for confirmation before > finally deleting a personal certificate (with private key). Firefox currently prompts me to confirm I want to delete a client certificate, so it looks like this got fixed by another bug along the way somewhere.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•