1.) Create a new profile and start the browser. 2.) Open the Cert Manager and Web Sites tab. What happens: The US Post Office cert appears. What is expected: No cert should be there in a new profile. 2/20 Win2000 trunk.

cc relyea and wtc. Since this behavior wasn't present pre NSS3.4 is suspect that 3.4 has something to do with it.

This is still occurring in Build ID 2002022503

Ian, is this cert new? bob

I presume the cert is "USPS Production 1". This cert is not at all new. It is an intermediate CA cert issued by "USPS Root". It should not be default trusted, as it is not a root. What it should be marked as is "valid CA", so that it shows up as untrusted in the CA list (previously, it was marked as untrusted, so it didn't show up; the customer did not like that). However, it is marked as "valid peer", causing it to show up in the web sites tab. I don't know why this showed up in 3.4, but the builtin entry is marked incorrectly at any rate.

patched checked in. Will have to wait for next PSM update.

Ian, Doesn't the trust flag "valid CA" imply that it's trusted? I agree with your comment that intermediate CAs should not be marked as trusted. Does the change you made cause this CA to be trusted now?

No. "valid" is equivalent to "c,c,c", "Trusted" is equivalent to "C,C,C".

No Trusted CA means it's trusted, Valid CA means simply that it is a CA.

Comment on attachment 71911 [details] [diff] [review] trust USPS Production 1 as valid CA I checked Ian's patch into the NSS_CLIENT_TAG of NSS. I think this bug can be marked fixed now.

Marking fixed as wtc suggested.

Verified that the USPS Production 1 CA appears now in the authorities tab and not the web sites tab. The CA is also NOT trusted. Please open a new bug if that is not correct.

It is correct that the USPS Production 1 CA is NOT trusted.