Nelson wrote: >>> NSS (and therefor mozilla products) do not do automatic fetching of >>> certificates at this point in time. > >>> Currently all protocols have a way of transmitting the necessary >>> intermediate certificates, and mozilla products depends on these protocols.
>> In theory yes, in practice no. If you use TLS client-auth as an example, FF >> would require that every sub-CA was known in advance by the relying party >> (server) in order to provide the proper DNs for certificate filtering & >> selection. >No. In TLS client auth, the server sends out a list of names of CAs that >it trusts as issuers of client auth certs. The client is required to send >a cert in that is issued directly (or indirectly) by one of the CAs named >by the server. That is, the client's cert must be issued by a named CA, >or have a cert chain that "chains up" to a named CA. Did I say anyhthing else? The AIA caIssuer extension allows you to "chain up" automatically. This very good if you have FIPS201 since there is just EE-level certs in the cards. Using mozilla you have to install the missing path. But you are going to update this part so it will work better as Bob explained. <snip> > So the server doesn't need to keep any intermediate >CAs below the ones it trusts; that is, between its own named points of >trust and the client's EE certs. Yiu are right, all the burdon is on the client which is the reason why AIA caIssuers is important to support. >>> Automatic fetching is a PKIX feature, and is targeted for NSS 3.12. > >> Good! >But the SSL and TLS protocols will not immediately cease to require the >sending of the cert chains as previously explained when libPKIX becomes >available. No, but you get away from installing local cert paths. In WASP, I intend to make full path this optional. That is, the requster says one or all. <snip> >Each CA has its own serial number space, and its own unique issuer name. >For two different certs to have the same issuer name and same serial numbers >means that one or more CAs goofed. My certpath is OK. So is my understanding of RFC3280 Anders _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
