User-Agent: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2.1) Gecko/20021130 Build Identifier: Mozilla/5.0 (Windows; U; WinNT4.0; en-US; rv:1.2.1) Gecko/20021130 The design goal of Examine Cert Details is apparently to support knowledgeable developers and website administrators. However it will often be necessary to give less able users or site owner-managers confidence that they understand what is wrong so they will have the boldness to ask the website admin to fix the problem. Hence we are requesting this enhancement to Examine Cert Details tab. Most users do not understand how complex site certificates are, nor realise there should be an intermediate certificate for complete validation of a website. Cert misconfiguration in the above case results (at this time) in an error popup "Website Certified by Unknown Authority" which is accurate, as is the suggested cause "the site's certificate is incomplete due to server misconfiguration". However clicking Examine Certificate gives conflicting information which discredits the popup error and confuses users who might otherwise report the issue to the server's admin. Examine Certificate's General tab shows: Common Name (CN) "<Not Part of Certificate>". Details tab under Issuer shows what appears to be reasonable values for an authority's common name, including "Verisign, Inc." Details tab should indicate where the problem is. In this case the problem is apparently in the Common Name which should be part of the certificate chain in the "intermediate certificate". For the server admin who desires to fix the original misconfiguration: see Verisign's knowledgebase about "intermediate certificate". Reproducible: Always Steps to Reproduce: 1. https://www.online.petro-canada.ca/petro-points/join/join.asp?l=E 2. observe popup "Website Certificate by an Unknown Authority" 3. click Examine Certificate, observe under General tab that Issuer Common Name (CN) is "<Not Part of Certificate>" 4. click Details tab, observe a certificate seems present in all details, at least it will seem so to most users. 5. click Issuer, observe "Verisign, Inc." is present - a reasonable value for Common Name. Actual Results: Details lists content including "Issuer" which has a reasonable value for the Common Name. However it does not include the actual common name from the intermediate cert. Details does NOT show that the intermediate cert is expected and missing, only the technical codes and strings which are found. Expected Results: Details should include an indication some cert fields are missing such as an intermediate cert section or checkbox, show a text summary of the issue. A workable temporary fix might be a fixed title that better describes it's limited purpose such as "Certificate Details Found". There is a related bug http://bugzilla.mozilla.org/show_bug.cgi?id=190689 Which has considerable dialog on what is happening technically, as well as confusion by bug submitters and others who haven't identified the source of confusion. That bug was about whether server misconfiguration was really involved - which it is. This bug is about Examine Certificate Details, which falsely appear reasonable to most users when details of the error should be shown. A related bug report is found at: http://bugzilla.mozilla.org/show_bug.cgi?id=191480 Where there is dialog about how this issue should be resolved as an enhancement request. Think of how your Mom or her favorite shop's website owner-manager would deal with this. As is, many users meeting this problem and looking for problem details will misinterpret Examine Certificate Details, lose confidence in their understanding, fail to do anything about the misconfiguration problem, and become less likely to use Mozilla. Some will file duplicate bug reports of course. The dialog on the original bug shows this confusion has been going on too long already.

PSM

I've added keyword "ecommerce" to this enhancment request, since it would help ecommerce function as intended and make users more self-sufficient reporting poorly configured certificate chains. Hope that was appropriate. Also put "unknown authority" in the summary to make this easier to find. I did this because I notice you had another mistaken bug submittal about a misconfigured cert.

I've read this bug and the two related ones. There seems to be confusion on several points, and I'd like to clear that up, and then ask the submittor what (if any) specific changes he would suggest. 1. The "unknown issuer" error is correct. In this case, the problem is that the cert for the CA that issued this server's cert is completely missing. The message might be somewhat more helpful to an administrator if it said "The certificate for the CA that issued this server's cert was not sent by the server, and/or is unrecognized by the browser." 2. The full subject name of the missing issuer's cert does not contain a "Common Name" part. It does not matter that the name "Verisign" is commonly used to identify the issuer. In this context, "Common Name" (abbreviated CN) refers to a specific part of the name, specifically designated by the issuer as the official Common Name. The missing issuer cert doesn't have any CN in its subject name. We know that because the full subject name of the issuer's cert is present in the server's cert. If the issuer name had a CN, it would appear there in the issuer name display preceeded by CN=. If you look at the subject name of the server's cert in the detail display, you will see a CN= part there. That part is missing from the issuer's name. 3. The absence of the "CN" in the issuer's name is not a problem. It's a mere factual detail, like calling attention to "no middle initial" on a drivers license or birth certificate (done in some states). The problem is that the issuer's cert is missing completely. If it was present, all would be well, even though its subject name lacks a CN. If the missing cert did have a CN, that would not solve the problem, as long as the cert is missing. The issuer cert must be present, whether it has a CN in the subject name or not, and in this case it is absent. So, no contradictory information is present in these displays. The display that says Common Name (CN) "<Not Part of Certificate>" is correct, and does not contradict the error "Website Certified by Unknown Authority". Now my question to the submittor is: what would you have the details display show differently than it does now? The only suggestion I can think of would be to show graphically that the chain is incomplete. E.g. near the top, in the "Certificate Hierarchy" box, underneath the line that represents the server's cert, perhaps the box could graphically show where the msising cert is expected to appear in the hierarchy. It would like like this: www.online.petro-canada.ca | +-- (missing)

Changing the graphical display as suggested would be great! "Conflicting information" is not really accurate as you point out. The graphical information merely fails to validate the textual description information, increasing user uncertainty for the uninitiated. Our goal is to empower ordinary Mozilla users so they have confidence about the situation enough to contact a professional webmaster about it. Making all forms of popup information show the presence and preferably the nature of the error is thus what we are seeking. The only thing more that might be done (beyond this bug report) would be to compose an email for the user to send to the webmaster (if the error description is copyable that would also help). Thanks! Tim

Mass reassign ssaux bugs to nobody