Heikki Toivonen wrote: > Nelson B wrote: >> beltzner wrote: >>> On 2/1/07, Gervase Markham <[EMAIL PROTECTED]> wrote: >>>> Not to my knowledge. Such a thing would be fantastic! >>> What I was able to offer the W3C was: >>> >>> http://www.w3.org/2006/WSC/wiki/NoteMozillaCertificateValidationErrors >>> >>> But if someone could help me construct the workflow, that would be >>> great. Any takers? >> The page above cites 6 things that can be wrong in a cert chain. >> There are many MANY more than 6. A full flow chart would be Quite >> large. So I'm curious to know what level of detail you want. > > I think we could start from the states that are visible to the user: > > - works > - silent rejection of connection (is this even possible?) > - all different error dialogs, prompts or similar that get shown to user > > Then, I'd give a high level, short description of the checks that can > lead to each of the different dialogs. That way all the checks would be > lumped to something like half a dozen (?) boxes in the flowchart.
Are you looking for UI flow, or the actual tests that are done to determine validity? I was assuming the latter based on the flow chart that Mike cited at http://www.w3.org/2006/WSC/wiki/NoteKDECertificateValidationErrors NSS provides two function for cert chain validation. One takes a cert and an indicator of intended usage (e.g. SSL server auth, S/MIME signer, S/MIME recipient, etc.) and returns a no/no-go result (and optionally details). The second detects server name mismatches for valid SSL server certs (that have passed the first test). IIRC, PSM groups the various errors into 3 groups, and has a separate dialog for each. A cert that has multiple errors may cause 1, 2 or 3 error dialogs to appear. The page Mike cited above shows two of the 3 dialogs. It does not show the name mismatch dialog. The 3 possible dialogs (IIRC) are: 1) Some cert not within its validity period (expired, or not yet valid), 2) All other errors that cause the cert to not be "valid" as defined by the PKI standards, including being revoked. 3) server name mismatch. Of these, only the second group offers a "permanent" override. The error dialog for the second group does not identify the specific problem, but only generically describes several common problems of that group. There is a proposal to change PSM UI to have only a single error page for ALL possible cert errors, so a user doesn't get faced with multiple error pages/dialogs for the same site. Bug 327181, see screen shots at https://bugzilla.mozilla.org/attachment.cgi?id=212593 (details hidden) https://bugzilla.mozilla.org/attachment.cgi?id=212595 (details shown) There is another proposal that doesn't combine all errors into one page, but for each error, the error page would describe the specific problem in readable form (no negative or hexadecimal numbers). Bug 107491, See screen shot at https://bugzilla.mozilla.org/attachment.cgi?id=252831 These proposals are all now about a year old. They were barred from consideration for FF2. Let's hope they will be considered for FF3. One key goal of SSL-related error pages/dialogs MUST be to point the user to the SERVER admin rather than bugzilla for help. 99+% of the SSL errors are the fault of some server admin, and there is no fault in FF to be fixed. But our current dialogs practically beg users to blame all problems on us. That's gotta stop, unless one of the Mikes wants to personally answer all the bugs and group questions about those errors going forward. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
