[17184] in Athena Bugs
Re: Vanishing certs: One possible cause
daemon@ATHENA.MIT.EDU (t. belton)
Thu Sep 16 15:22:40 1999
Date: Thu, 16 Sep 1999 15:22:06 -0400 (EDT)
From: "t. belton" <tbelton@MIT.EDU>
To: f_l@MIT.EDU, web-agents@MIT.EDU, e-reserves@MIT.EDU, bugs@MIT.EDU
In-Reply-To: <Pine.GSO.3.96L.990915153207.13122A-100000@iphigenia.mit.edu>
Message-Id: <Pine.GSO.3.96L.990916150148.29081A-100000@iphigenia.mit.edu>
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Once more I apologize for the large set of recipients.
I went to the library this afternoon and watched as one of the users who
had been plagued by the vanishing certificates problem reproduced it.
As has already been discussed, this problem is caused by a corrupted
certificate database. We don't know all of the possible reasons why the
user's certificate database could become corrupted. I suspect now that
there are any number of circumstances that Netscape's tiny brain can't
cope with. For example, there is still one Electronic Reserves user
whose certificates just will not stay put. (I'm going to look into that
tomorrow.)
But we have found and identified ONE definite cause of corruption.
When applying for the SITE certificate - that is, recognizing MIT as a
certificate authority - you are offered a dialog which has three
checkboxes, to indicate what you are allowing that CA to do. I don't have
the exact phrasing in front of me - we can look it up when we revise the
instructions, as we will need to do - but the options are 1. allow the CA
to certify locations (websites) 2. allow the CA to certify people (email)
3. allow the CA to certify developers.
You MUST check at least one of these. (I generally check the first two.)
It seems like a number of users are simply pressing the Next button at
that point without checking any.
If you do that, the next dialog is actually a "Since you have rejected
this CA ..." message, but it's easy to skip the fine print and not realize
it. Then it looks like you've finished getting a site certificate, when
what you've really done is create an empty certificate database.
*At that point Netscape is officially confused.* If you try to get a user
certificate then, it will appear to install, but will be gone the
next time you run Netscape.
Furthermore, you will probably have to clean out your cert*.db and key*.db
files after that before trying again.
-Todd
