Could you provide a screenshot on how it suggests that the certificate could be used to sign other certificates?

palmer@ or felt@, could you take a look? Thanks

emilyschechter@, do you happen to know who owns CrOS-specific settings? if not, I can go digging. thanks!

The fact it's even in "Certificate Authorities" hints it could be used to sign other certificates.  I want it to be very clear that it's only intended to verify the intended server/subject.

Deleted: Screenshot 2016-07-18 at 18.56.24.png 73.8 KB

	Screenshot 2016-07-18 at 18.56.24.png 73.8 KB View Download

Thank you for providing more feedback. Adding requester "tanin@google.com" for another review and adding "Needs-Review" label for tracking.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot

re: #2, Yes +tbuckley owns CrOS settings.

This is a duplicate of a very old bug; IIRC it's an underlying problem in NSS? +rsleevi who will know.

If it is a duplicate, I'm having trouble finding it, but it's certainly a known issue.

We (for values of both Chrome and NSS) don't support trusting a CA certificate for a single host. If you import a CA certificate into NSS, it's treated as a CA certificate.

So this is WontFix/WAI.

rsleevi, what is the "Servers" tab for? is that for putting client certs?

Certificates without CA=true - that is, certificates that are not CA certificates.

The reason for the UI is that the UI leads repeatedly expressed a desire that, if we offer any UI at all (and we didn't for a number of releases), that it matches Firefox's PSM UI (the closest NSS has to UI). Officially, NSS is only managed via the command-line, but we needed something for CrOS.

PSM's docs are at http://www-archive.mozilla.org/projects/security/pki/psm/ , but in terms of what NSS supports, the better(ish?) documentation is for certutil, NSS's "official" way of managing the DB. That's https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/tools/NSS_Tools_certutil

The "servers" tab corresponds to the "P" option (trusted peer), while the "Authorities" tab corresponds to either the c or C flag (it's more complicated by the fact that the value of 'p' changed between NSS releases).

If you view the details on the certificate, you can see we expose the other trust flags (email & object signing), even though they have no relevance on ChromeOS, because we wrote this UI for the Linux port, and for Linux, where the NSS DB is shared, those UI settings make sense for the library, even though they don't make sense for Chrome.

rsleevi@, do you still support WintFix/WAI on this bug? Nothing has happened since 2016, I favor being realistic if this isn't going to be fixed.

I do support WontFix'ing - although I would love lots of UI love and partnership on how we manage certificates, I also know no one from UI has wanted to touch it since 2011 :)

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot