Open Bug 953323 Opened 11 years ago Updated 2 years ago

The add-a-CA UI should not allow enabling trust bits unrelated to the app

Categories

(Core :: Security: PSM, enhancement, P3)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

People

(Reporter: andy, Unassigned)

Details

(Whiteboard: [psm-backlog]) 

I just imported a CA certificate (the Fedora project's certificate).  Firefox asked me what I want to trust that certificate for.  The questions are unclear.

Choice 1: Trust it to identify websites?  This one makes sens.

Choice 2: Trust it to identify email users?  What the *!&@ does that mean?  This is Firefox, not Thunderbird.

Choice 3: Trust it to identify software developers?  Seriously?  Does this mean that I would trust this CA to grant privilege to people's software?  Does this mean that I would trust this CA to tell me who wrote Firefox add-ons?  Why are you asking me this question?

(I'm not saying that #2 and #3 shouldn't be there.  I'm saying that the descriptions could be a lot clearer.)

I suspect that these are actually related to X.509 constraints.  These constraints are, alas, *completely irrelevant* to a web browser, as far as I know.  CAs are either allowed to sign HTTPS certificates (or intermediate CAs) or they are not.  That should be all.
Component: Preferences → Security: UI
Product: Firefox → Core
Thanks for filing the bug.

The UI in question is shared by Firefox, Thunderbird etc, which is why stuff like e-mail trust shows up even in Firefox.
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Hardware: x86_64 → All
Summary: The add-a-CA UI is confusing → The add-a-CA UI should not allow enabling trust bits unrelated to the app
Component: Security: UI → Security: PSM
Priority: -- → P3
Whiteboard: [psm-backlog]
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.