Christian Bongiorno wrote:
I am seeing some behavior from Thunderbird that I cannot explain. I have
a PIV card with 3 certs on it -- all of which are suppose to be meant
for different things. Thunderbird correctly sees the one applicable for
digital signature, and correctly sees the one for encryption.
I believe the third cert is the authentication cert. Could you
tell me the differences between the authentication cert and
the signature verification cert? Do they differ only in the
non-repudiation key usage?
2 things:
Whenever I select a cert it asks me if I want to use it for the
complementary job as well. That's OK if the cert can do both, but in
this case, these certs have exclusively different uses and I should
never be prompted (The key usage is set accordingly). I guess that's
just a usability issue.
Yes. The UI tries to make it simple for the user by giving the
illusion that there is only one cert if the certs have the same
issuer and subject name (and possible some other cert fields),
which allow NSS to determine that the certs are related. The
underlying code does the right thing and selects a different cert
for the complementary job.
The real problem is that when I tell TB to use two different certs,
everything goes OK until I attempt to sign the email -- then it tells me
that either no cert is configured for the job or my cert isn't trusted.
I don't know what went wrong here.
Wan-Teh
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto