Unlike the new standard "Code Signing" OID, the Object Signing OID had to be present in the EE cert and also in all the intermediate CA certs in the chain in order to be valid for Object signing.
However, AFAIK, the "object signing" feature was not carried over into later generation browsers (after Communicator 4.x).
In my tests, Communicator 4.x did not enforce the restriction you describe in all case.
If the intermediate/root CA certs had no netscape cert type extension at all, it was possible to enable then for "object signing" without problems, despite a description implying they were required to explicitly have it.
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
