On 11/9/06, Bob Relyea <[EMAIL PROTECTED]> wrote:
> However, FF ALWAYS uses the first certificate it finds from PKCS11. I > can switch the order around of the certs in my code and FF will > always select the first one even if the usage for SSL is not there, > even if I didn't select it when prompted. So all signing certs are expected to be usable for Client Auth, as long as they chain to one of the root certificates sent by the server. There are recent changes to FF to prefer certificates which do have the non-repudiation bit turned off. I believe these changes went into FF 2.0.
I should comment again to the ticket, that the problem should not be approached by 'to prefer certificates which do have the non-repudiation bit turned off' but the problem comes from the fact that 'non-repudiation is taken as sining certificate' even though it should not be. See http://martin.paljak.pri.ee/2006/10/10/sexual-explanation-of-key-usage-bits-handling-in-firefox/
SSL usage in a certificate really means SSL server usage.
EKU of 'SSL client authentication' in a certificate should IMHO mean 'use this certificate for client authentication in SSL connections' ? _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto