John, I'm glad you brought this discussion to this newsgroup.
As we discussed previously, the spec for downloading CA certs via application/x-x509-ca-cert http://wp.netscape.com/eng/security/comm4-cert-download.html#chains says that the first of the certs in the PKCS7 signed data package is treated as a root CA cert, with the user having an opportunity to edit the trust flags, and the rest of the CAs in the package are installed as untrusted intermediate CAs. The behavior you reported observing with mozilla was that the LAST cert in the PKCS7 package is treated as the root CA, with an option to edit the trust, and the other certs were treated as untrusted intermediate CA certs. So, there is a discrepancy between the spec (which was originally written for Communicator 4.0) and the mozilla behavior. The question in my mind is whether Communicator 4.0 followed the spec (which means that Communicator 4.x and mozilla behave differently given the same PKCS7 input), or whether both Communicator and mozilla behave essentially the same. If the two programs behave differently, then one of them has a bug. Clearly there can only be one right behavior for that MIME type. If the two programs behave the same, then we can argue that both programs are right and the spec itself simply needs to be revised to match the programs' consistent behavior. On a related topic, I see one other potential gotcha about the certs you created with OpenSSL. They have serial numbers 0, 1, and 2. I suspect that each time you create certs with that program it will produce certs with those same serial numbers. This means that, if you're not very careful, you'll end up creating more than one cert with the same issuer name and serial number, which violates X509 and is not allowed by NSS. It might be that you'll issue certs with these numbers one year, and then a year or two later when the certs expire, you issue a new set that have the same issuer name and the same serial numbers. Believe me, you want to avoid doing that. It's not valid, and it will cause big problems for your users. So, plan ahead to avoid ever reusing serial numbers. -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
