How did you get the cert into Thunderbird in the first place?

People send me digitally signed EMAILs which appear to magically pop into the thunderbird certificate manager with no action on my part.

That's the expected behavior. I have no idea why a cert disappears when you try to edit the trust though. It works fine here.

To get the cert back into Thunderbird, open a signed message from the sender.

In any case, difficulties reading an encrypted message sent to you has got nothing to do with the sender's certificate. The message is encrypted to your (public) key, and only you can decrypt it with your private key.
The sender's certificate is used to verify the sender actually is the one you think it is. This also works if you do not explicitly trust the senders certificate.

I'm running on a MacBookPro OSX 10.8.5; Thunderbird 24.5.0

I opened the person's EMAIL, clicked on the red dot on the enveloped, went down into the cert details and then checked the Cert Manager and determined he had not been added.

I then went to Mozilla and downloaded/installed a fresh version of 24.5.0, opened the person's EMAIL again and once again he was not added to the people list.

your thoughts?

The file cert8.db in your profile folder may have become corrupted. Delete this file while Thunderbird is closed.

Close Thunderbird by choosing File (Alt-F) -> Quit.

Open your profile folder.

Delete the file named cert8.db.

Restart Thunderbird. cert8.db will be recreated when you do so.

Note, this will erase any personal certificates you may have installed, so back them up if you have no other copy.

Ok, I made a leap of faith and deleted the cert8.db file - restored my personal certs as advised. - the CAs also need to be restored as well and I hit some difficulties. When I went out to the Govt websites, all the CAs went into FIREFOX. So how to I get them from FIREFOX over to THUNDERBIRD? I exported them one-by-one from FIREFOX and then imported them into THUNDERBIRD, but the number of button clicks is significant and I have about 100 CAs to reload. Painful do not do them as a batch.

Also, the issue with editing trust on a single person still causes them to disappear from the people list and they can not be reloaded. I re-deleted the cert8.db file and am rebuilding once again. The edit trust on an individual is broken and a bug. I have a fresh load of THUNDERBIRD and a brandnew cert8.db file and the people disappear. To recover, I have to delete cert8.db, and reload many CAs one-by-one. Ouch.

Any thoughts?

the CAs also need to be restored

Not sure what this means. Thunderbird has a built-in set of CAs it trusts by default (quite a few actually). You don't need to rebuild these manually, they are added automatically.

I have no real idea what the problem could be in your case. Can you try with a new profile?

The US Govt has a large number of CAs depending on who you are working with. In addition, businesses that don't want to pay for PKI certs from commercial vendors for their 8000 in-house 8000, create their own CAs for internal use. When I want to communicate with these folks, I have to have their CAs installed to recognize them; these are the ones I am reinstalling one-by-one.

The reason "edit trust" on individuals (in the cert manager) is because the EMAIL address that was used to create there PKI cert is many times not the address they are currently using. Receiving a digitally signed EMAIL from the wrong EMAIL address gets flagged and distrusted and won't work. You then have to edit the trust of the person so the new EMAIL address is accepted.

The bug is, editing the trust to ACCEPT the individuals cert causes them to disappear from the table. Leading to the recovery method of deleting cert8.db and rebuilding.

I submitted a BugZilla if you want more information

https://bugzilla.mozilla.org/show_bug.cgi?id=539928

A key issue for me is that my communications is no predictable and dependable. The people using outlook have a "edit trust" button that works and it puts pressure on me to use a Mac and to use Thunderbird since my IT guys don't support them.

The reason "edit trust" on individuals (in the cert manager) is because the EMAIL address that was used to create there PKI cert is many times not the address they are currently using.

I'm not sure I do understand this. Are you saying someone obtained a cert from a CA not part of the TB built-in CA list for email address A.

Then the same person sends you a message with email address B as sender address, but signs the message with the cert belonging to email address A?

That doesn't sound right to me.

Yep, and its done all the time. Here's why: People in the Government, military in particular, get rotated to multiple assignments and locations where the EMAIL address gets changed for the physical location they happen to be in. The Govt doesn't want to re-issue certs every time these people move. Since outlook allows one to override the strict checking of EMAIL address with that in the cert, people are happy campers even though it is a bad security practice. I brought it to the attention of the proper people and the mumbled something about 150,000 people to manage. You can read the comments and RFC paragraph at the link given above.

PS: what file to I delete to force a new profile?

In my view the practice you describe defeats the whole idea of using certificates, at least as far as authenticity is concerned.

Whether Outlook behaves correctly and Thunderbird not, I don't know, but again, it doesn't sound right to me.

I was assuming something is broken in your profile, hence the suggestion to create a new one. But that probably isn't the case. So I don't think there is a need to create a new profile.

Just for the record, you use profile manager for that.

http://kb.mozillazine.org/Profile_manager

Thank you for your assistance. You helped me repair my cert8.db.

It would be a help to resolving and retiring this issue to have someone confirm what I am seeing, could you try one last time to edit trust?

i.e., Go to View Certs/People/ select someone's name/ Edit Trust at bottom of window/ click "trust the authenticity of this certificate" then OK/

Then search for the person's name in the people window.

For me, the name can no longer be found.

I don't see your problem. But then I don't have certs where the email address from the cert is different from the sender's email address.