Frank Hecker wrote:
3. Find some other way to get NSS not to recognize DigiNotar certs for email, perhaps in combination with some action by Entrust and/or DigiNotar. For example, one idea is to have end users of DigiNotar certs reconfigure their email clients to have cert chains that terminate in the DigiNotar Root CA root; unfortunately that's not really workable IMO (since every cert holder would have to do this). Another idea is to have Entrust revoke the DigiNotar Root CA intermediate cert; however as I understand it that would have no effect whatsoever, as NSS doesn't check for revocation of CA certs (except in the EV case). There's perhaps a possibility that adding the DigiNotar Root CA intermediate cert to the preloaded cert list would help, but that's unclear at this point given the current state of NSS.
Try this as a solution:Have entrust reissue the diginotar intermediate with the appropriate extended key usage which restricts email usage.
Include that intermediate in our root store.The reason NSS selects the current intermediate over the root is because the intermediate is newer (IIRC).
bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
