On Wednesday 22 October 2008 16:37:16 you wrote:
I don't think that's typical usage at all: typical usage presents a UI. It's called from elsewhere in cryptui, so it's under the control
Sure, but the app may present its own UI like Outlook does, and call this function with CRYPTUI_WIZ_NO_UI set.
of the user how frequently this is used. You add a cert to the root store even when a UI is requested. This is clearly incorrect.
Yes, so those users may benefit from the stub as well. And I do print a FIXME. This is nothing new, we've been ignoring invalid certificates in wininet for years where we should stop and show a UI.
I'm not saying we shouldn't implement this or not be secure, it's just a matter of priorities.
-Hans