Peter Djalaliev: > Ah, I see. From what I can see in the RFC, this usage is not really > forbidden, but not really standard either. Generalizing my question, > what kind of X509v3 extensions that NSS currently support? I am aware > that CA often use these extensions in less-than-standard ways :)
Well, the RFC requires the server to send any chained CA certificate up to the CA root. The server doesn't have to send the root CA certificate itself however. In this case it's the browser (IE) which goes an extra-mile to fetch those missing CA certs if possible. If IE encounters in the AIA extension the "CA Issuers" field with a service URL, it fetches the certificate from there and if it's really the issuer of the server certificate builds the chain. Obviously this non-standard behavior had to the result that careless SysAdmins cared even less about correct installation of the certificates. I'm not 100% sure, but to all of my knowledge NSS will support the same behavior soon as well or in theory has already the capability to do so (in PKIX). Nelson might know when this will be due... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
