Comment 34 for bug 239360

(In reply to comment #30)
> Kai, what does the client display when encounters a site using a revoked
> certificate?

It's not perfect yet, but it won't allow an override.

(FYI, you can find a testcase for OCSP and revoked certs here: http://kuix.de/misc/test-ocsp/ )

When I trust that test CA (!) and enter
  https://revoked.kuix.de:8352/
into the exception dialog, I get
- an error popup saying the cert is revoked
- the dialog says "No Information Available"
  and "This site doesn't supply any identification.
       There is no need to add an exception for this site".

This indeed needs improvement.

> Also, it would seem to me that we should show all important certificate
> information in that screen at the same time.

What information do you consider important?

If we want to show more information, the dialog will have to become bigger.
(Or we'll have to use a multi-page wizard, so we don't need to show all chrome at the same time)

> I'd further suggest name changes as follows:
> * Unknown identity: This site is using a certificate from an unknown source.
> Firefox cannot validate the identity of this site.
> -or when appropriate-
> Unknown identity: This site is using a self-signed certificate. A self-signed
> certificate is one issued by the site itself instead of a well-known authority.

Johnathan, when you get the "untrusted" error, you should be able to distinguish "self signed" and "unknown/untrusted issuer" by comparing cert.issuer and cert.subject for equality.

> * Expired certificate: This site is using a certificate that has expired and it
> is no longer valid for identifying this site.
> * Site name mismatch: This site is using a certificate for "www.example.com",
> but the certificate was issued for "www.company.com".

Sounds good to me.

> Should we put in words there like "This error may indicate that someone is
> trying to hijack your communications with www.example.com"?

Sounds good to me.
We had a phrase like this in the old dialog for untrusted certs.