User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:1.7.5) Gecko/20041122 Firefox/1.0 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; de-DE; rv:1.7.5) Gecko/20041122 Firefox/1.0 There is no visible way in thunderbird to import an encryption certificate received with a signed smime message into the certificate store for later delivery of encrypted messages back to the sender. If the signer certificate is not trusted (it is not signed by an already configured CA) there is no visible way to change that. Thus it is impossible to accept self-signed certificates. Reproducible: Always Steps to Reproduce: 1. Open a signed smime message received from another user with a certificate either self-signed or issued by an untrusted CA. Actual Results: The signed indication in the message window displays a broken signature. Double-clicking on it explains that the reason for the broken signature is an untrusted signer certificate. No options are displayed to change the trust setting. No option is displayed to export the signer and/or encryption certificate contained in the message. Expected Results: Offer a button to accept the certificate as trusted. Offer a button to export and/or install the certiciates (at least the encryption certificate) into the personal certicate store

I bet Nelson can explain why this is, or if it's a bug.

Seamonkey has this same problem. I think there's an open bug about that (for seamonkey) but it's not showing up in my searches at this time. We don't automatically import (much less trust) certs that come along with an S/MIME message unless they can be validated using a known and trusted cert (typically a trusted root). If we did automatically import unvalidated (or invalid) certs, that would make the program (be it seamonkey or tbird) vulnerable to various known attacks. So, user decision is required to import unvalidated certs. So, I agree with Olaf that the UI that displays a peer's cert chain, whether an SSL server's cert chain or an S/MIME email cert chain, should also let the user choose to import any cert in that chain, and should also allow the user to edit the trust on any imported cert in that chain. I'd suggest that the UI to do this be part of the "detailed view" of the individual cert. One more point here. An email message can contain multiple cert chains: a signature cert chain (which validates the signature on the email) and an encryption cert chain (with which the recipient can send back an encrypted reply). I believe that, at present, the cert chain viewing UI for email only shows the signature chain. But generally speaking, we never want to import certs fro the signature chain (unless they happen to also be part of the encryption chain). We only want to import certs from the encryption chain. Now, if (as is very often the case) the signer's signature cert is also his encryption cert (implying that the signing and encryption chains are the same chain), then displaying the signature chain also could (and should, IMO) provide the viewer with the opportunity to import and/or trust any certs in that chain. But if the message has only a signing chain (which is not also an encryption chain), or if the message has separate signing and encryption chains, then IMO the UI should NOT give the user the chance to import the certs in the signing chain, but only the certs in the encryption chain. And presently, AFAIK, there is no UI to view the encryption chain - only the signing chain. Seems like the cert chain viewing UI code should be able to be reused for both purposes, signing and encryption chain viewing. But there's no way now (AFAIK) for the user to say "show me the encryption chain". So, I'd say that there's a bunch of work for someone to do in the email clients' UI, adding a way to view encryption chain, adding a way to import each cert in the chain (individually), and adding a way to edit the trust on imported certs (only) in the chain. And I'd hope that would be done for both seamonkey and TBird.

I have had the same issue trying to install certificates received from thawte.com Thawte utilizes Verisign-based software and is a recognized cert authority. Thawte offers free public/private keys for email signing and encryption. Installed without issue in outlook and navigator 7.2 but not into t'bird. Vista H.P., t'bird 2.0.0.14

Wayne this would fall into Thunderbird UI -> PSM integration.

Appears to be a duplicate of bug #209182, which hasn't seen much activity lately.

(In reply to comment #5) > Appears to be a duplicate of bug #209182, which hasn't seen much activity > lately. I agree.