[Bug 238861] Re: CAC Card - Auto Select Doesn't Work

Wed Jun 11 01:26:05 UTC 2008

Alexander,

Thank you for the response.

"about client certificates for authentication?":  Because I am unsure of
terminology, I will try to be explicit.  This is about how firefox
handles "certificate" requests from servers when queried.  My
certificates are good and work, but require constantly selecting the
correct certificate.

I had no problem setting up my CAC card for use with Linux / Firefox
(DoD plugin pulled all certs that I needed and installed them to
firefox).  Fairly straight forward process with some excellent guides
online.

WHAT AM I DOING:  I connect to my work email through an outlook web
access server.  Since there are certain security concerns, the site now
uses the CAC card to provide certificates to access the site.

WHAT I DO / SEE:

a.  I connect to the URL.  I SEE a dialog box prompting me for my CAC PIN which is required to access my card and verify that I am the proper owner of the card.
b.  I enter my PIN.   I SEE a dialog box showing me the certificate that FIREFOX wants to respond with (There are two on my card -- one normal and one tagged email). 
c.  I select the second certificate because that is the one required for this site.  It always defaults to wrong certificate until I choose one for the first time.  I would like to note, that I am prompted multiple times for the certificate, as I believe the site is pulling data from separate areas, each requesting a certificate.  I SEE finally outlook web access (OWA) interface.
d.  While working in OWA, if I reply to an email, open calendars, tasks, etc... I am prompted to select the certificate... sometimes multiple times in a row.  WHAT I SEE is that after a certain amount of time, firefox starts presenting me with the correct certificate as its default selection (supports my thought that there are multiple queries for the certifcate from different sources).

The above notes are what occurs on default firefox setting (choose
certificate everytime firefox is asked).  If I wait until I see all of
my certificate requests are defaulting to "email certificate" and then
change the default setting of firefox to "let firefox choose the
certificate to respond with", it works flawlessly with out any other
problems.

If I change the default settings to "Let Firefox Choose" prior to
connecting to site, FIREFOX ALWAYS chooses the wrong certificate and I
am locked out of the site.  NOTE, that this is after a restart of
firefox that this occurs and not if I changed the settings after getting
through the initial series of "selecting" the certificate.

MY BELIEF:

1.  Firefox has a bug in how it handles certificate requests.  It is not
processing the request properly, so always defaults to wrong
certificate.

AND OR

2.  Firefox is supposed to learn and remember the proper certificate
selected for the site and fails to do that, so switching to "letting
firefox choose" fails once it learns because it forgets the association
with the site.

OR

3.  Firefox doesn't have the requiste functionality yet to handle the
certificates learning and it needs to be requested as a new feature.  If
it needs to be implemented, the certificate handling should have another
option in which it asks for the correct certificate if it has not
learned/been told to remember the certificate/website association.  It
should work something like the passwords and websites works in firefox.

OR

4.  The functionality is there, I just don't know where it is and how to
configure it.

Thanks in advance.  :)

ARM-C

-- 
CAC Card - Auto Select Doesn't Work
https://bugs.launchpad.net/bugs/238861
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox-3.0 in ubuntu.