Confirmed users, Administrators
5,526
edits
CA:MaintenanceAndEnforcement: Difference between revisions
m
→Concerns
m (→Concerns) |
m (→Concerns) |
||
| Line 129: | Line 129: | ||
** Possible Solution: {{Bug|808839}} - Ability to Actively Distrust all certs with a particular Subject. | ** Possible Solution: {{Bug|808839}} - Ability to Actively Distrust all certs with a particular Subject. | ||
* The Certificate Manager does not recognize the "distrust" flag, so there is no distinction in the user interface between certificates that have been Actively Distrusted in NSS and all other certificates. The distrusted certificate(s) should also be added to OneCRL, so the certificate(s) will still be distrusted even if the user manually turns on the trust bits for Actively Distrusted certificates. | * The Certificate Manager does not recognize the "distrust" flag, so there is no distinction in the user interface between certificates that have been Actively Distrusted in NSS and all other certificates. The distrusted certificate(s) should also be added to OneCRL, so the certificate(s) will still be distrusted even if the user manually turns on the trust bits for Actively Distrusted certificates. | ||
** Possible Scenario: User confusion about Actively Distrusted certs listed in the Certificate Manager. | |||
** Possible Solutions: {{Bug|470994}}, {{Bug|733716}}. For Actively Distrusted certs, remove the cert entry from the NSS built-in cert list, and only keep the (dis)trust entry. | ** Possible Solutions: {{Bug|470994}}, {{Bug|733716}}. For Actively Distrusted certs, remove the cert entry from the NSS built-in cert list, and only keep the (dis)trust entry. | ||
* If the certificate to be Actively Distrusted is used by a large portion of the internet population, immediately distrusting the certificate could make many high-traffic websites no longer be reachable, giving the appearance of a large network outage, or users might take actions (such as permanently trusting the bad cert) to bypass error messages. | * If the certificate to be Actively Distrusted is used by a large portion of the internet population, immediately distrusting the certificate could make many high-traffic websites no longer be reachable, giving the appearance of a large network outage, or users might take actions (such as permanently trusting the bad cert) to bypass error messages. | ||