Closed Bug 646205 Opened 14 years ago Closed 9 years ago

Unable to mark intermediate CA certificate as untrusted

Categories

(Core :: Security: PSM, enhancement)

Product:
Core
Component:
Security: PSM
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 585352

People

(Reporter: thoger, Unassigned)

References

Details

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; rv:1.9.2.16) Gecko/20110322 Build Identifier: Mozilla/5.0 (X11; Linux i686 on x86_64; rv:2.0) Gecko/20100101 Firefox/4.0 There does not seem to be a good way to mark intermediate CAs, that are automatically added to the Software Security Device when browsing internet, as untrusted, without marking their parent CA in the Builtin Object Token as untrusted. Reproducible: Always Steps to Reproduce: 1. Create new testing profile. 2. Got to an https site that has a cert issued by a CA subordinate to a CA in the Builtin Object Token, such as https://addons.mozilla.org 3. Check Security Manager to see new "VeriSign Class 3 Extended Validation SSL CA" under "VeriSign, Inc.". This CA has no trust flags set ("Edit CA certificate trust settings" has all trust settings unchecked; certutil -L on the profile directory shows ",,"). 4. Try to mark that intermediate CA as untrusted. There seem to be two ways: 4.1 Hit "Edit Trust..." and OK without selecting any trust settings. This does not do any UI-visible change, but changes flags in the underlying NSS db to "c,c,c". 4.2 Hit "Delete or Distrust..." and confirm. 5. Try connecting to the site again, or other side with the certificate issued by the intermediate CA. Actual Results: Connection succeeds without any error. If intermediate CA cert was deleted, it is re-added automatically. Expected Results: Connection should fail, at least in the 4.1 case. This seems to be an NSS issue as similar behaviour can be reproduced with NSS command line tools: certutil -d nssdb -N modutil -add builtins -libfile libnssckbi.so -dbdir nssdb certutil -A -n 'VeriSign Class 3 Extended Validation SSL CA' -i VeriSignClass3ExtendedValidationSSLCA.pem -d nssdb -t c,c,c tstclnt -d nssdb -p 443 -h addons.mozilla.org I'm not sure if this is to be considered NSS bug, that should be addressed in NSS, or should better be addressed in the browser.
I agree that the UI is confusing for this any many other reasons. Currently, if a cert is a trust anchor, any certs it issued are trusted and the UI doesn't affect that.
Depends on: distrust
I think "Delete or Distrust" should be two separate actions. Delete - should remove the CA but be re-added upon revisiting the site Distrust - should remove the CA and not be re-added upon revisiting the site This is more of an enhancement than a bug.
Severity: normal → enhancement
OS: Linux → All
Hardware: x86_64 → All
It's not clear to me whether it's currently possible to implement such Distrust (wouldn't it be a duplicate of current Edit?) in NSS.
Tomas, that's why this bug is marked as depending on "distrust" (bug 470994).
I see that this bug is marked with an importance of "enhancement". I believe that bug 683261 has proved that this should be set to "normal" or higher. It currently takes more than six days to distrust a certificate.
This issue is still present on firefox 23/24 on linux, windows, android plateforms. You actually don't have to connect to the website for the certificate to get automatically added. WHen I delete a intermediate certificate issued by a Root CA, the certificate is still present if I open the cert manager right after deletion.
(In reply to devillers.nicolas from comment #7) > This issue is still present on firefox 23/24 on linux, windows, android > plateforms. That's not surprising since a patch has not been submitted to this bug report. This is unlikely to get fixed until someone volunteers to fix it or a Firefox developer finds time to work on it.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.