User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080916043910 Minefield/3.1b1pre Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b1pre) Gecko/20080916043910 Minefield/3.1b1pre Deleting certificates using "Tools > Options > Advanced > View Certificates > You certificates > Delete" erase the certificates on your smart card. This is done without any warning message (should be a minimum) Reproducible: Always Steps to Reproduce: 1.Select Tools > Options > Advanced > View Certificates > 2.Enter your smart card code pin 3.Select Your Certificates 4. Select certificates and then click on Delete Actual Results: Erase certificates on the smart card Expected Results: Only manage relation between certificates contain in the smart card and the browser, without any action on the smart card. We reproduce this on an other PC. As we use the "smart card reader" DLL there is no restriction.
I don't view this as a bug, but this is what I'd expect. The certificate is correctly marked as the smart card device and/or software device. A warning about deleting a certificate appears in any case. Deleting a certificate from either device can't be reversed.
This certificate is also used to get access to my PC. Normally there is an Administrator password to mange certificate on the smart card Firefox only ask for the owner password to view certificates and authorize deleting without any more question... So I destroy my certificates without knowing that I was erasing my smart card. So as I say before tat a minimum we need a comprehensive warning explaining that the smart card will be erased, the best should be to ask the administrator password. By the way, my opinion is that it is not the job of the browser to manage certificates on the smart card. It seems to me to risk doing that. If I have done this erasing out of my office I had to wait my return to be able to work again with my PC.
I think it would be a good idea to ask the user for confirmation before finally deleting a personal certificate (with private key). We cold remind them about consequences and the option to create a backup before deleting.
For software certificates I agree. For smart card certificate, a normal user is not able to write on the smart card. So if he erase the certificate he have to call is security manager to recreate the certificates on the smart card. So I suggest that on smart card the erasing of certificates should be at least more difficult (asking for administrator password for example) or impossible.
(In reply to Kai Engert (:kaie) from comment #3) > I think it would be a good idea to ask the user for confirmation before > finally deleting a personal certificate (with private key). Firefox currently prompts me to confirm I want to delete a client certificate, so it looks like this got fixed by another bug along the way somewhere.