Using ftp://sweetlou/products/client/seamonkey/windows/32bit/x86/2001-07-19-05-0.9.2/ I have setup a CMS4.2SP2, and by default, there is a OCSP service running colocated with a standard CA. I enrolled a certificate, and imported the CA certificate. The "Manage Certificate" panel in PSM said the certificate is verified (verified is "true"). So I then did "Privacy and Security > Validation > OCSP", and selected "Use OCSP to validate all certificate using this URL and signer". By default, the Response Signer is set to nothing. I did not pick any Response Signer, and I put in a invalid Service URL (i.e. http://localhost:80). I clicked OK, and dismissed the dialog window. And I started Preference > Privacy and Security > Certificates > Manage Certifiate. The certificate is still verified as good (verified is "true"). Should PSM say "unknown" or something?

p2 t->2.1 Need to have a comprehensive review of OCSP in PSM. ->javi

adding nsenterprise to all P1, P2 PSM bugs with target milestone of 2.1

Mass assigning QA to ckritzer.

The bug mentioned here is basically, "bad UI design for OCSP." How much of the OCSP UI are we willing to modify for this upcoming release? We need some UI help here.

For this release we should focus on improving the wording. Sean Cotter should be able to help.

The Help text for the OCSP prefs panel suggests (without saying so explicitly) that choosing "Use OCSP to verify all certificates, using the URL and signer specified here" means the Cert Manager regards a cert as invalid--that is, the verified column for the cert should read "false"--unless it receives a "valid" response from the responder. If this is correct, then the problem is that the Cert Manager should read "false" instead of "true" in this case. But I have a feeling this interpretation is not correct. Even if the URL specified is correct and the responder is working, it could return a response of "unknown." This is different from "false", and some people might care about the distinction. I'm not sure what to suggest about the wording in the prefs panel--it may be just fine, although the help text probably needs improvement. However, it probably should not be possible to select the third option without specifying both a URL and a signer. In this case, maybe we need an alert when the user clicks OK, asking the user to fill in the missing info. Unless there are situations where somebody might want to fill in the URL without specifying one of the available responders. Would PSM's OCSP implementation still work if the responder isn't specified but the URL is valid? Thomas' other issue has to do with what the Verified column should say. Aside from "true" (meaning that the specified responder has verified the certificate) or "false" (meaning that the specified signer has identified the cert as one that has been revoked), there are at least two other possibilities: (1) the responder has no record of the cert, or for some other reason has responded "unknown"; or (2) the responder can't be reached for some reason--the specified URL has a typo, the server is down, etc. A user (or more likely, an admin) might care about this additional distinction. "unknown" from a working responder is different--more serious, maybe--than "unknown" because the server can't be reached. If we want to reflect this distinction in the UI, maybe the first case should be "unknown" and the second should be something like "unavailable" or "can't verify" with suitable explanation in Help. Or maybe this distinction is too subtle to bother with, and Verified should just be "unknown" in both situations. Any thoughts?

The situation that thomas is running is caused by NSS not initializing OCSP becuase the signer certificate is missing. The error code doesn't bubble up and no UI is presented to the user. That should get fixed.

future

Adding relnote keyword. Revoked certs using OCSP may still appear in the Cert Manager verified as True.

Platform MacOS 9.2.2 May cause error code -8075 in Netscape 7.0 when trying to access a secure page. Workaround: Create new profile; copy all folders from old profile EXCEPT for Security folder to new profile folder; restart Netscape and select new profile. This takes time and is very annoying to have to do every day. I can't seem to reset the OSCP processing within the Netscape Preferences Security Manage Certificates dialog to Never Use. Though the button is highlighted, I still get invalid certificates later on.

Mass reassign Javi's old PSM bugs to nobody

This isn't relevant any longer.