Nelson B Bolyard: > Eddy Nigg wrote, On 2008-06-24 14:56: > >> Another question is, what happens if the cross-signed certificate is >> revoked AND NSS recognizes the revocation. Would this effectively have >> the DigiNotar root show up as revoked? > > It would, UNLESS any of the following were true: > > 1. A newer Entrust cross (intermediate) CA cert existed, and was being > served by the server you were trying to reach, or > > 2. A newer Entrust cross (intermediate) CA cert existed, and you had > previously visited a server that was serving that newer cert. In that > case, you would have the newer cert in your cert DB and it would take > precedence over any older cert with the same issuer and subject names. > > 3. Diginotar's new root was available and trusted in your client and > Diginotar's new root had issued a new "rollover" cert itself that was > newer than the older Entrust cross cert, and either > a) that rollover cert was being served by the server you were visiting, or > b) you already had that rollover cert in your cert DB from a prior visit. > > /Nelson
Basically the same issue as the current one, which why DigiNotars root chains to that of Entrust, even though the root is included in NSS. In that case this isn't a good option either, which leaves us....disabling the email bit of entrust? -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
