The add-a-CA UI should not allow enabling trust bits unrelated to the app

NEW
Unassigned

Status

()

Core
Security: PSM
P3
enhancement
4 years ago
a year ago

People

(Reporter: andy, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [psm-backlog])

(Reporter)

Description

4 years ago
I just imported a CA certificate (the Fedora project's certificate).  Firefox asked me what I want to trust that certificate for.  The questions are unclear.

Choice 1: Trust it to identify websites?  This one makes sens.

Choice 2: Trust it to identify email users?  What the *!&@ does that mean?  This is Firefox, not Thunderbird.

Choice 3: Trust it to identify software developers?  Seriously?  Does this mean that I would trust this CA to grant privilege to people's software?  Does this mean that I would trust this CA to tell me who wrote Firefox add-ons?  Why are you asking me this question?

(I'm not saying that #2 and #3 shouldn't be there.  I'm saying that the descriptions could be a lot clearer.)

I suspect that these are actually related to X.509 constraints.  These constraints are, alas, *completely irrelevant* to a web browser, as far as I know.  CAs are either allowed to sign HTTPS certificates (or intermediate CAs) or they are not.  That should be all.

Updated

4 years ago
Component: Preferences → Security: UI
Product: Firefox → Core

Comment 1

2 years ago
Thanks for filing the bug.

The UI in question is shared by Firefox, Thunderbird etc, which is why stuff like e-mail trust shows up even in Firefox.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: x86_64 → All
Summary: The add-a-CA UI is confusing → The add-a-CA UI should not allow enabling trust bits unrelated to the app
Component: Security: UI → Security: PSM
Priority: -- → P3
Whiteboard: [psm-backlog]
You need to log in before you can comment on or make changes to this bug.