@lists.mozilla.org
Sent: Friday, September 29, 2006 14:35
Subject: Re: CA serial number clarification. Re: Mozilla's use of AIA caIssuers
URIs
The trust anchor (i.e., the root CA) authenticates itself, as well as
the certificates it issues to other entities. A better diagram and
way of looking at it would
The trust anchor (i.e., the root CA) authenticates itself, as well as
the certificates it issues to other entities. A better diagram and
way of looking at it would be thus:
anchor (.) - trust level
/ \
root subca - authentication level
/ \
subsubCA endentity
It's
Anders Rundgren wrote:
[...]. That Root is actually signed by the
same key and having the same issuer as Sub does not put it in the same level
as Sub since Root is selfsigned.
I think you should rethink about the meaning of *self*-signed.
The issuer of Root *is* Root, so Root and Sub *do*
Jean-Marc Desperrier wrote:
Anders Rundgren wrote:
[...]. That Root is actually signed by the
same key and having the same issuer as Sub does not put it in the same
level as Sub since Root is selfsigned.
I think you should rethink about the meaning of *self*-signed.
The issuer of Root *is*
Jean-Marc Desperrier wrote:
[...]. That Root is actually signed by the
same key and having the same issuer as Sub does not put it in the same level
as Sub since Root is selfsigned.
I think you should rethink about the meaning of *self*-signed.
I don't claim to be the world's biggest expert on
Anders Rundgren wrote:
NSS (and therefor mozilla products) do not do automatic fetching of
certificates at this point in time.
Currently all protocols have a way of transmitting the necessary
intermediate certificates, and mozilla products depends on these protocols.
In theory yes, in
Anders Rundgren wrote:
Both your root.cert and cacert.cert seem to have same serial number and
issuer. That is forbidden.
AFAIK each CA has its own serial number space. This should make it OK
to reuse a serial number even within a CA hierachy. I would be an error if
I let the root
Any two certs with the same issuer must have different serial numbers.
I have never claimed anything else.
This is a basic X509 requirement, violating this will cause you
interoperability problems. If you reissue your CA cert, it must have a
new number. If you spin up another CA with the
Nelson wrote:
NSS (and therefor mozilla products) do not do automatic fetching of
certificates at this point in time.
Currently all protocols have a way of transmitting the necessary
intermediate certificates, and mozilla products depends on these protocols.
In theory yes, in practice no.
Thank you for your prompt reply.
Bob wrote:
NSS (and therefor mozilla products) do not do automatic fetching of
certificates at this point in time.
Currently all protocols have a way of transmitting the necessary
intermediate certificates, and mozilla products depends on these protocols.
In
10 matches
Mail list logo
