fecund wrote: > > Using Mozilla 1.2 alpha, and having trouble accessing many sites when > OCSP validation is turned on. The typical error is: > " Error trying to validate certificate from secure3.ingdirect.com > using OCSP - response contains a date which is in the future. " > > What I'd like to see in the above error: > the site it used to validte said certificate > the invalid date > eg: " Error trying to validate certificate from secure3.ingdirect.com > via www.verisign.com using OCSP - response contains a date > '99/99/9999' which is in the future. "
Did it really say 99/99/9999 ? Or did you substitute 9s for the real numbers? > Anyway, I ask the bank and they say that one of my root CAs has > expired or that my clock is wrong. My clock is correct, so I set about > trying to debug my certificates. Even if your clock is incorrect and your timezone is incorrect and your system date is wrong, none of those things should cause the date in the OCSP response to be interpreted as 99/99/9999! So, I'm wondering if the particular OSCP response was not exactly in the format expected by mozilla/NSS. > I turn off OCSP verification, and examine the site's certificate with > "Page Info". It says "The web site secure3.ingdirect.com supports > authentication for the page you are viewing. The identity of this web > site has been verified by VeriSign Trust Network, a certificate > authority you trust for this purpose." - I assume there is some > alternative to OCSP that Mozilla used to check ingdirect's > certificate. mozilla/NSS verifies that - the server cert name matches the host name in the site's URL, and - none of the certs has expired, and - the signature in each cert is verifiable using the public key in the issuer's cert, and - the cert chain ends with a root CA cert that is known to and trusted by mozilla, as so-called "trust anchor", and - none of the certs is restricted from being used for SSL by any cert extensions, and - a few other details (path length constraints, name constraints). This is normal certificate chain validation. OCSP merely verifies that the certs in question haven't been revoked by the issuing CA. Without OCSP, and without a "Certificate Revocation List" from the issuing CA, mozilla simply doesn't check the cers for revocation. -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
