I created a certificate path consisting of root CA, sub CA and EE cert and put
it in a
PKCS 12 file including the private key to the EE cert.
When I import it in MSIE 6 I get the question if I want to install the root CA.
In FF I don't get any question about that and the root is indeed installed as
well.
IMO there are a number of issues here; some are specific to the particular
clients
and some are generic.
In principle I don't think that a EE certificate or yours (including path) has
anything
to do with your trusted parties. That the root was supplied could be due to the
fact that it may be a good idea to supply the entire path, at least to new
contacts.
That FF automatically made the root trusted is a bug or a feature. I would
claim that it is a bug because if somebody like a community distributes a
certificate it is because *they* want you to use a certificate. That is not
the same as you trust their roots for everything including SSL certs which
I guess this feature will enable as well.
That signText required the EE cert to be trusted as reported before is
IMO a clear bug. There can be no *requirements* for having any
CA certs because that is a relying party issue.
In the US Higher Education PKI TAG they are reportedly working
with Mozilla to change a related thing which they claim is a bug.
They claim that ThunderBird does not read the cert-path when
supplied in P11 interface. IMO there is no standard that says
that you should or must do that.
password for the enclosed p12 is: testing
comments?
Anders
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
