Eddy Nigg wrote, On 2008-06-24 14:56: > Another question is, what happens if the cross-signed certificate is > revoked AND NSS recognizes the revocation. Would this effectively have > the DigiNotar root show up as revoked?
It would, UNLESS any of the following were true: 1. A newer Entrust cross (intermediate) CA cert existed, and was being served by the server you were trying to reach, or 2. A newer Entrust cross (intermediate) CA cert existed, and you had previously visited a server that was serving that newer cert. In that case, you would have the newer cert in your cert DB and it would take precedence over any older cert with the same issuer and subject names. 3. Diginotar's new root was available and trusted in your client and Diginotar's new root had issued a new "rollover" cert itself that was newer than the older Entrust cross cert, and either a) that rollover cert was being served by the server you were visiting, or b) you already had that rollover cert in your cert DB from a prior visit. /Nelson _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
