On 3/23/06, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
Bruce Keats wrote:
> I am having problems importing CRLs and managing CRLs within firefox.
> In the linux version, the import button opens a window that allows me to
> enter a file name for the CRL. The CRL is in PEM format is called
> "root.crl". When I select OK, there are no error messages, how the CRL
> is not imported.
Yeah, mozilla security error dialogs leave a lot to be desired
https://bugzilla.mozilla.org/show_bug.cgi?id=107491
In this case, the CRL has to have been signed by a trusted CA.
If the CA certs isn't already in your profile and marked trusted,
the CRL import will fail. That's my guess about your experience.
Yes, the CRL was signed by a trusted CRL. I imported a PKCS12 certificate that contained the certificate chain. I did check to make sure that the CAs in question appeared in the "Authorities" tab. I will check again. In any event, I followed the same process on Windows and on Linux. In the Windows case, the CRLs were imported.
> On the Windows version, this functionality works OK.
> However, if I remove the CRL then try and import a more up to date CRL,
> I get an error.
What version of NSS are you using?
I downloaded and installed the Windows version of the web. How do I find out which version of NSS is being used? I guess there is a separate package under Linux, so I will check it out to see if it was updated.
I vaguely (and perhaps erroneously) recall that there is (er, once was) a
problem that occurs when your only CRL expires or is removed. The problem
is that if NSS thinks you have (or had) a CRL for a CA, then NSS cannot
thereafter verify any signatures without the CRL for that CA, INCLUDING
the signatures on new CRLs. I think that was fixed in NSS 3.10 or 3.11,
but my memory of this is pretty hazy.
Perhaps MisterCRL will reply to this soon.
> Is there a problem with the Linux version or am I doing something
> wrong? Is there a build option I need to get this to work properly?
> How about the windows version?
What version is that?
For both the windows and Linux version, they are Firefox 1.5.0.1.
Thanks for the help,
Bruce
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
