Victor Probo wrote: > > Nelson; > In collecting data for this reply, I found that you are correct. (blush)
> On the screen are two links (so to speak). One is an Address Card > icon and the other is a "Download" link. The link has a number of LDAP > args and ends with the "application/x-x509-email-cert" mime type. Yes. It downloads a cert that is 898 bytes long. The cert contains numerous extensions, including: - keyUsage - authorityKeyIdentifier - subjectKeyIdentifier - certificatePolicies - subjectAltName - issuerAltName FWIW, Netscape's PP (pretty print) program has trouble interpreting some of those extensions, and crashes while trying to print that last one. I haven't yet looked into whether that's a library problem or merely a problem in pp (which I think is not actively maintained). > But I will include the specifics anyway. These certs do raise some > questions. > > URL=https://ds-web.c3pki.chamb.disa.mil/dsgw/bin/lang?context=dsgw-mail > "Standard Search" > "wojcik" as search arg > Pick 3rd entry (Not LRA or RA) Those instructions leave me looking at a page with 3 frames, the relevant one of which may be seen at this URL: https://ds-web.c3pki.chamb.disa.mil/dsgw/bin/dosearch?context=dsgw-mail&hp=email-ds-3.c3pki.chamb.disa.mil&dn=cn%3DWojcik.Robert.Christopher.0900000004%2C%20ou%3DDISA%2C%20ou%3DPKI%2C%20ou%3DDoD%2C%20o%3DU.S.%20Government%2C%20c%3DUS That page displays an image of a business card, which is a link to a javaScript function named showVCard, which when clicked displays this URL: https://ds-web.c3pki.chamb.disa.mil/dsgw/bin/dosearch?context=dsgw-mail&hp=email-ds-3.c3pki.chamb.disa.mil&dn=cn%3DWojcik.Robert.Christopher.0900000004%2C%20ou%3DDISA%2C%20ou%3DPKI%2C%20ou%3DDoD%2C%20o%3DU.S.%20Government%2C%20c%3DUS&ldq=_vcard&text/x-vcard > Click "Download Certidficate". > Nothing changes on the screen, no pop-up, but cert is loaded. Yes, I find that annoying too. It's a UI "feature". :-) In browsers past, that caused a "wizard" (sequence of dialog boxes) to appear, but someone decided to eliminate the wizard :-( because it was deemed to be too unfriendly. > Clicking the Address card in Mozilla gives you a download that > Mozilla doesn't know how to handle, where as Netscape presents > a popup and a simple display. Again, that address card image links to https://ds-web.c3pki.chamb.disa.mil/dsgw/bin/dosearch?context=dsgw-mail&hp=email-ds-3.c3pki.chamb.disa.mil&dn=cn%3DWojcik.Robert.Christopher.0900000004%2C%20ou%3DDISA%2C%20ou%3DPKI%2C%20ou%3DDoD%2C%20o%3DU.S.%20Government%2C%20c%3DUS&ldq=_vcard&text/x-vcard That URL fetches a page of type text/x-vcard that contains the following text: BEGIN: vCard VERSION: 2.1 FN: Xxxxxx.Xxxxxx.Xxxxxxxxxxx.NNNNNNNNNN N: Xxxxxx;Xxxxxx FN: Xxxxxx.Xxxxxx.Xxxxxxxxxxx.NNNNNNNNNN N: Xxxxxx;Xxxxxx ORG: ;XXXX EMAIL;INTERNET: [EMAIL PROTECTED] TITLE: Xxxxxxx Xxxxxxxx TEL;WORK: (xxx)xxx-xxxx TEL;FAX: (xxx)xxx-xxxx END: vCard (I substituted Xs and Ns there so that that person's info won't wind up in some usenet archive.) There's no cert in that vcard anywhere. It may be that Mozilla doesn't know how to display such a vcard, but that has nothing to do with NSS because there's nothing in there that is in any way encrypted or relevant to NSS/PSM. I'm not sure that the FN: and N: lines are supposed to be repeated in a vcard, as they are above, so that may be related to why it displays strangely on mozilla. > Examining the Cert shows: > Index has Name and email address. > Detailed view failes to show email (in recognizable form). > BUT under extensions is OID 2 5 29 17 (subAltName) > is a hex string with his email address > > Obviously some piece of code could read this extension, because > the email address came from it. Some piece of code could read the subjectAltName extension, agreed. I think the issuerAltName may be confusing something, but don't know what. > Victor Probo My conclusion of this matter is two fold: 1. mozilla may have a bug in handling VCards, but that is unrelated to NSS and PSM, and 2. There may indeed be a bug in NSS or PSM in the handling of one or more of the following 3 cert extensions: - certificatePolicies - subjectAltName - issuerAltName Someone here should look in more detail at why this cert isn't handled right in PSM/NSS. -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
