On Wednesday 22 October 2008 16:37:16 you wrote: > I don't think that's typical usage at all: typical usage presents a > UI. It's called from elsewhere in cryptui, so it's under the control
Sure, but the app may present its own UI like Outlook does, and call this function with CRYPTUI_WIZ_NO_UI set. > of the user how frequently this is used. You add a cert to the root > store even when a UI is requested. This is clearly incorrect. Yes, so those users may benefit from the stub as well. And I do print a FIXME. This is nothing new, we've been ignoring invalid certificates in wininet for years where we should stop and show a UI. I'm not saying we shouldn't implement this or not be secure, it's just a matter of priorities. -Hans
