Nelson B Bolyard wrote:
Bruce Keats wrote:
I am having problems importing CRLs and managing CRLs within firefox.
In the linux version, the import button opens a window that allows me to
enter a file name for the CRL. The CRL is in PEM format is called
"root.crl". When I select OK, there are no error messages, how the CRL
is not imported.
Yeah, mozilla security error dialogs leave a lot to be desired
https://bugzilla.mozilla.org/show_bug.cgi?id=107491
In this case, the CRL has to have been signed by a trusted CA.
If the CA certs isn't already in your profile and marked trusted,
the CRL import will fail. That's my guess about your experience.
Unfortunately no. Mozilla doesn't do any check on issuer when importing
CRLs. It doesn't verify the CRL. It only checks the ASN.1 encoding.
This is required because we don't keep intermediate certs around in our
DB. If mozilla did the check, it would be impossible to import CRLs for
intermediate CAs. We have NSS APIs that do the check when importing, but
they aren't used in this case.
On the Windows version, this functionality works OK.
However, if I remove the CRL then try and import a more up to date CRL,
I get an error.
What version of NSS are you using?
I vaguely (and perhaps erroneously) recall that there is (er, once was) a
problem that occurs when your only CRL expires or is removed. The problem
is that if NSS thinks you have (or had) a CRL for a CA, then NSS cannot
thereafter verify any signatures without the CRL for that CA, INCLUDING
the signatures on new CRLs. I think that was fixed in NSS 3.10 or 3.11,
but my memory of this is pretty hazy.
Perhaps MisterCRL will reply to this soon.
;)
I don't remember either about this specific problem, sorry.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
