Closed Bug 91495 Opened 23 years ago Closed 8 years ago

Select Automatically for client authentication should handle multiple matches usefully

Categories

(Core Graveyard :: Security: UI, enhancement, P3)

Product:
Core Graveyard
Component:
Security: UI
Platform:
x86
Windows 2000
Type:
enhancement

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: thomask, Unassigned)

References

Details

Attachments

(2 files)

patch to select certificate once/site/session
5.22 KB, patch
Details | Diff | Splinter Review
Smarter "Select automatically"
3.13 KB, patch
Details | Diff | Splinter Review
I have 2 certificates (one regular user certificate and one administrator) signed by the same CA, and the "Select Automatically" option is selected. When CMS (the server) requests for client authentication for the agent page, PSM just picked the wrong certificate. There is no point to randomly pick a certificate for the user even if "Select Automatically" is enabled. Solution: If there is more than 1 certificate match a particular site, PSM should pop up a dialog and say something like: There are more than one certificates that can be used with the current site. Here is a list of certificates that can be used for authentication. Please pick one and this certificate will be used for further authentication for this site. So PSM will need to store the associated of (cert, site). So it may need to provide a management UI for the associated.
There's a workaround (do not use the "select automatically") ->rangansen t->2.1 p3
Assignee: ssaux → rangansen
Severity: normal → minor
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Target Milestone: --- → 2.1
reassigning to javi CMS related. The people who have two such certs are the ones that are evaluating the CMS/PSM integration. We don't whant to turn them off.
Assignee: rangansen → javi
Severity: minor → major
Priority: P3 → P1
adding nsenterprise to all P1, P2 PSM bugs with target milestone of 2.1
Keywords: nsenterprise
This is a feature enhancement. The whole point of Select Automatically is so that the user doesn't have to click on anything for client-auth to work. Do we really want to add another click in the client-auth process?
Moving to P3, removing nsenterprise. Although it's true that CMS admin usually have two certs matching the server client auth request, and in that case select automatically is not useful, as long as they can use the ask every time feature to do their work then we have to move this bug to an RFE. The RFE is justified: The way I see the semantics of select automatically is that it doesn't display a dialog when there's only once possible choice for the cert. For most people, when a server requests a client auth cert that's exactly what happens. If you have more that one matching cert, then the current behavior is not saving the user any click if the wrong cert is chosen. To the contrary, the user gets very confused and has to do a lot of extra work to correct the situation. Therefore the select automatically feature should be understood as select automatically when it makes sense, and it should be advertised as such. Thomas, is that fair to request that CMS admin use the choose every time feature? If choose every time still won't allow them to do their work, then let us know.
Severity: major → enhancement
Keywords: nsenterprise
Priority: P1 → P3
Version: 2.0 → 2.1
Sure, this is acceptable.
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
Move to future. Won't have time to fix these for 2.1
Target Milestone: 2.1 → Future
QA Contact: ckritzer → junruh
*** Bug 122593 has been marked as a duplicate of this bug. ***
Adding comments from an email sent to me: "I was hoping that 91495 was going to be fixed before 1.0, since it is a real show-stopper for many people. As it is, I'm forced to have an additional browser installed on my machine due to this bug. The bug makes it cumbersome to use mozilla to access my netbank, because the netbank uses client-certificates that differs depending on which person one tries to log in as (www.skandiabanken.no). Changing the setting to "ask every time" is not a good solution, while "ask once for each startup of mozilla" or something would be nice. Is there anything that can be done to increase the priority of fixing this bug, and if not, could you please indicate aproximately what part of the source needs to be modified so that I can patch it myself? -- Rune Frøysa"
*** Bug 136832 has been marked as a duplicate of this bug. ***
Blocks: clientauth
Comment on attachment 100380 [details] [diff] [review] patch to select certificate once/site/session The enclosed patch adds a certificate option "Ask once/site/session". nsNSSIOLayer.cpp has been extended to contain a hash of the previously used certificate when this option is selected. The patch works just fine with my netbank.
This patch is an alternative to my previous patch. It makes "Select automatically" detect that multiple sites are legal, and in this case it prompts the user for which certificate to use. The selection is stored in a hash, which is used for future certificate requests for the same site.
Mass reassign Javi's old PSM bugs to nobody
Assignee: javi → nobody
QA Contact: junruh → nobody
Target Milestone: Future → ---
Product: PSM → Core
*** Bug 292766 has been marked as a duplicate of this bug. ***
QA Contact: nobody → ui
Version: psm2.1 → 1.0 Branch
Summary: Select Automatically for client authentication isnt too bright → Select Automatically for client authentication should handle multiple matches usefully
Version: 1.0 Branch → Trunk
See bug 1267643 comment 3 for the plan regarding automatically selecting client auth certificates.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: