Ask user to confirm before deleting a personal certificate

RESOLVED WORKSFORME

Status

()

Core
Security: PSM
--
enhancement
RESOLVED WORKSFORME
9 years ago
2 years ago

People

(Reporter: Erick Fauquette, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080916043910 Minefield/3.1b1pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080916043910 Minefield/3.1b1pre

Deleting certificates using "Tools > Options > Advanced > View Certificates > You certificates > Delete" erase the certificates on your smart card.

This is done without any warning message (should be a minimum)



Reproducible: Always

Steps to Reproduce:
1.Select Tools > Options > Advanced > View Certificates >
2.Enter your smart card code pin
3.Select Your Certificates
4. Select certificates and then click on Delete

Actual Results:  
Erase certificates on the smart card

Expected Results:  
Only manage relation between certificates contain in the smart card and the browser, without any action on the smart card.

We reproduce this on an other PC.
As we use the "smart card reader" DLL  there is no restriction.
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm

Comment 1

9 years ago
I don't view this as a bug, but this is what I'd expect. The certificate is correctly marked as the smart card device and/or software device. A warning about deleting a certificate appears in any case. Deleting a certificate from either device can't be reversed.
(Reporter)

Comment 2

9 years ago
This certificate is also used to get access to my PC.
Normally there is an Administrator password to mange certificate on the smart card
Firefox only ask for the owner password to view certificates and authorize deleting without any more question...
So I destroy my certificates without knowing that I was erasing my smart card.

So as I say before tat a minimum we need a comprehensive warning explaining that the smart card will be erased, the best should be to ask the administrator password.

By the way, my opinion is that it is not the job of the browser to manage certificates on the smart card. It seems to me to risk doing that.

If I have done this erasing out of my office I had to wait my return to be able to work again with my PC.

Comment 3

9 years ago
I think it would be a good idea to ask the user for confirmation before finally deleting a personal certificate (with private key). We cold remind them about consequences and the option to create a backup before deleting.
Assignee: kaie → nobody
Severity: critical → enhancement
Summary: Smart card Certificate erasing → Ask user to confirm before deleting a personal certificate

Updated

9 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 4

9 years ago
For software certificates I agree.
For smart card certificate, a normal user is not able to write on the smart card.
So if he erase the certificate he have to call is security manager to recreate the certificates on the smart card. So I suggest that on smart card the erasing of certificates should be at least more difficult (asking for administrator password for example) or impossible.
(In reply to Kai Engert (:kaie) from comment #3)
> I think it would be a good idea to ask the user for confirmation before
> finally deleting a personal certificate (with private key).

Firefox currently prompts me to confirm I want to delete a client certificate, so it looks like this got fixed by another bug along the way somewhere.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.