On 11/9/06, Bob Relyea <[EMAIL PROTECTED]> wrote:
> However, FF ALWAYS uses the first certificate it finds from PKCS11. I
> can switch the  order around of the certs in my code and FF will
> always select the first one even if the usage for SSL is not there,
> even if I didn't select it when prompted.
So all signing certs are expected to be usable for Client Auth, as long
as they chain to one of the root certificates sent by the server. There
are recent changes to FF to prefer certificates which do have the
non-repudiation bit turned off. I believe these changes went into FF 2.0.

I should comment again to the ticket, that the problem should not be
approached by
'to prefer certificates which do have the non-repudiation bit turned
off' but the problem comes from the fact that 'non-repudiation is
taken as sining certificate' even though it should not be.

See 
http://martin.paljak.pri.ee/2006/10/10/sexual-explanation-of-key-usage-bits-handling-in-firefox/



SSL usage in a certificate really means SSL server usage.

EKU of 'SSL client authentication' in a certificate should IMHO mean
'use this certificate for client authentication in SSL connections' ?
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to