Thank you for your prompt reply. Bob wrote:
>NSS (and therefor mozilla products) do not do automatic fetching of >certificates at this point in time. >Currently all protocols have a way of transmitting the necessary >intermediate certificates, and mozilla products depends on these protocols. In theory yes, in practice no. If you use TLS client-auth as an example, FF would require that every sub-CA was known in advance by the relying party (server) in order to provide the proper DNs for certificate filtering & selection. I believe the AIA caIssuers extension was introduced to reduce the need for static configurations. I guess that TB would puke on my certficates as well. In OE it works as (I) anticiapated. >Automatic fetching is a PKIX feature, and is targeted for NSS 3.12. Good! Kai wrote: >Both your root.cert and cacert.cert seem to have same serial number and >issuer. That is forbidden. AFAIK each CA has its own serial number space. This should make it OK to reuse a serial number even within a CA hierachy. I would be an error if I let the root sign another CA and used serial = 1 for that one as well. Anders Anders Rundgren wrote: > The following 3-level certificate hierachy works as expected when looking on > it in MSIE: > > Root certificate: http://webpki.org/mozbug/root.cer (to be imported) > Actual CA certificate: http://webpki.org/mozbug/cacert.cer (NOT to be > imported since the EE cert's AIA CAissuers URI points to this) > EE certificate and private key: http://webpki.org/mozbug/anders.p12 (Import > and use password "testing") > > Using Mozilla FF (latest release on Windows) the built-in certificate viewer > says that the EE cert is untrusted even though Root was imported and edited as trusted. > > Are there any known problems with path building in the certificate viewer? I > don't use Thunderbird so I could not tesr with e-mail. > > Anders > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
