Dear Kai, I think I misunderstood your complaint a bit. Apparently Bob and Nelson think I'm wrong as well.
So here we go again... Serial number + Issuer MUST indeed be unique within a CA. Therefore the following was interpreted as incorrect: Issuer: Root Serial: 1 Subject: Root Issuer: Root Serial: 1 Subject: Sub But you must apply path building before enforcing the serial-issuer rule. If you do that you will note that Sub was signed by Root which means that they do not represent the same CA. That Root is actually signed by the same key and having the same issuer as Sub does not put it in the same level as Sub since Root is selfsigned. Actually there are no requirements that trust anchors must be certificates; just public keys do fine. "Funny" stuff for you [soon-to-be] AIA caIssuers implementers: http://www.imc.org/ietf-pkix/mail-archive/msg03741.html http://www.imc.org/ietf-pkix/mail-archive/msg03752.html http://www.imc.org/ietf-pkix/mail-archive/msg03758.html Anders ----- Original Message ----- From: "Kai Engert" <[EMAIL PROTECTED]> To: "Anders Rundgren" <[EMAIL PROTECTED]> Cc: "Mozilla Crypto" <dev-tech-crypto@lists.mozilla.org> Sent: Wednesday, September 27, 2006 04:11 Subject: Re: Mozilla's use of AIA caIssuers URIs Both your root.cert and cacert.cert seem to have same serial number and issuer. That is forbidden. But even if your certs had unqiue serial numbers, I don't know whether NSS would be able to fetch that intermediate dynamically from the web. I doubt it. Kai Anders Rundgren wrote: > The following 3-level certificate hierachy works as expected when looking on > it in MSIE: > > Root certificate: http://webpki.org/mozbug/root.cer (to be imported) > Actual CA certificate: http://webpki.org/mozbug/cacert.cer (NOT to be > imported since the EE cert's AIA CAissuers URI points to this) > EE certificate and private key: http://webpki.org/mozbug/anders.p12 (Import > and use password "testing") > > Using Mozilla FF (latest release on Windows) the built-in certificate viewer > says that the EE cert is untrusted even though Root was imported and edited as trusted. > > Are there any known problems with path building in the certificate viewer? I > don't use Thunderbird so I could not tesr with e-mail. > > Anders > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
