Ian McGreer wrote:
What means newer in this context? The one that was last issued or last put into cert*.db?2) I have to different public keys/certs for Alice, both from the same CA and (with regard to the v3 extensions) both suitable for encryption.
How does mozilla take it's decision which one to use?
I believe it will use the newer cert.
Besides a difference in the DN and the certified keys, both certificates are identical: same attributes and extensions. So how does mozilla figure out, which is the "right" one?When I send mail to Alice, Mozilla takes the first key/cert that shows up in the certificate manager, which is the "right" one, because the other key/cert was used for signing the email Alice sent to me.
Was I just lucky or does mozilla know about the use of the keys/certs?
Both certs came with an email I received and were incorporated by mozilla to cert7.db
If Mozilla/PSM couldn't figure this out, it wouldn't be a very useful S/MIME client :) Many deployments use the dual-cert (signing & encryption) model.
Gerd
