Re: Permanently store this exception selected by default
File a bug. (If we're going to annoy the users every time they first encounter a security exception, we might as well go whole-hog and do it every time they encounter a security exception.) -Kyle H, the embittered On Fri, Jun 4, 2010 at 7:21 PM, TEO Tse Chin teotsec...@gmail.com wrote: Hello, I encountered an expired cert for an IMAP (STARTTLS) server from an ISP. While I've followed up with the ISP about the expired cert, there was something about Thunderbird's behavior that caught my attention. In the Add Security Exception dialog box, the checkbox for Permanently store this exception was checked by default. Given users' tendency to click-through security warnings, would it not perhaps be better for that box to be UNchecked by default? That way they'll get a warning each time, and more likely to go bug their service provider to keep their certs up to date. Tse Chin -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
How does Firefox do kerberos single sign on
I am trying to do single sign on using kerberos like Firefox does with spnego. I am using the Java GSS API and run into the problem with the allowtgtsessionkey regsitry on Windows 2003 (Like described on http://java.sun.com/j2se/1.5.0/docs/guide/security/jgss/tutorials/Troubleshooting.html). Our security does not like changing the registry key and allowing access to the session key. So I wonder how Firefox solved this problem. On our Systems Firefox works without changing the registry key. Could you explaing what steps are done in Firefox to acquire a service ticket? Best regards Christian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Permanently store this exception selected by default
On 2010-06-04 19:21 PDT, TEO Tse Chin wrote: I encountered an expired cert for an IMAP (STARTTLS) server from an ISP. While I've followed up with the ISP about the expired cert, there was something about Thunderbird's behavior that caught my attention. In the Add Security Exception dialog box, the checkbox for Permanently store this exception was checked by default. Given users' tendency to click-through security warnings, would it not perhaps be better for that box to be UNchecked by default? No. This was deliberate. Users' tendency to click through without reading the warning/error first is a direct function of the frequency with which the user experiences the error. It's that frequency that is the enemy. The idea is that the way to get users to pay attention to errors is to make them infrequent. Showing the user the SAME error over and over is the worst thing to do in terms of conditioning him to ignore all similar errors. So, we did what we could to minimize the frequency. That way they'll get a warning each time, and more likely to go bug their service provider to keep their certs up to date. Actually, they're more likely to ignore it. Tse Chin -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Permanently store this exception selected by default
On 2010-06-06 11:22 PDT, aerow...@gmail.com wrote: File a bug. No, don't. It would be a duplicate. Find the bug already on file. It's probably already resolved WONTFIX. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Permanently store this exception selected by default
Sorry to reply out of order That way they'll get a warning each time, and more likely to go bug their service provider to keep their certs up to date. Tse Chin Even as a technical user I have a hard time finding out whom to contact at a site and how to convince them to get a properly signed certificate (webmaster@ is usually clueless). If they can't be bothered to google free ssl or keep them up to date chances are they won't fix a self signed certificate or an expired certificate anytime soon. As much as I dislike this interface change I agree with it. -Kurt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Generation of key pair and CSR
Hi, I would like to create a plug-in for Firefox that, when invoked, generates a new key in the Firefox key/certificate store. Is it possible to generate a new keypair in using NSS from the plug-in, or do I need to somehow call crypto.generateCRMF() via javascript from the plug-in? Thanks in advance, James Subrata Mazumdar-2 wrote: Michael Ströder wrote: Subrata Mazumdar wrote: There is a new version of KeyManager available that supports SeaMonkey. I'll give it a try. What I'm really missing are some simple functions like exporting a cert received in an e-mail S/MIME signature. Things that are really easy with Outlook but with Mozilla-based MUAs I had to use openssl smime to extract the certs. Ciao, Michael. Yes, KeyManager supports exporting of any certificate in your Cert-DB and importing of temporary certs as permanent cert. If the cert is in your CertDB (either temporarily or permanently) and you can view it using Certificate Viewer of PSM, then you can either export the cert or import it permanently. Use the preference window to enable the exporting of certificate option - by default it is disabled. BTW, I have noticed that Mozilla PSM in FF3 (Beta) added support for exporting any certificates in your CertDB. -- Subrata ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- View this message in context: http://old.nabble.com/Generation-of-key-pair-and-CSR-tp15012279p28800556.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto