IMO opinion IE does the right thing. The problem is actually worse in the other direction since FF (at least 2.x) forces you to manually install intermediate certificates for PIV/FIPS201 cards in order for the selection process to work correctly.
Although AIA CA Issuer is listed as a non-critical extension, NIST requires the support of this in PIV, and IMO for very good reasons. Anders Rundgren ----- Original Message ----- From: "Eddy Nigg" <[EMAIL PROTECTED]> Newsgroups: mozilla.dev.tech.crypto To: <dev-tech-crypto@lists.mozilla.org> Sent: Wednesday, July 23, 2008 18:26 Subject: Re: question about certificate chain from https://suppliers.intel.com Peter Djalaliev: > Ah, I see. From what I can see in the RFC, this usage is not really > forbidden, but not really standard either. Generalizing my question, > what kind of X509v3 extensions that NSS currently support? I am aware > that CA often use these extensions in less-than-standard ways :) Well, the RFC requires the server to send any chained CA certificate up to the CA root. The server doesn't have to send the root CA certificate itself however. In this case it's the browser (IE) which goes an extra-mile to fetch those missing CA certs if possible. If IE encounters in the AIA extension the "CA Issuers" field with a service URL, it fetches the certificate from there and if it's really the issuer of the server certificate builds the chain. Obviously this non-standard behavior had to the result that careless SysAdmins cared even less about correct installation of the certificates. I'm not 100% sure, but to all of my knowledge NSS will support the same behavior soon as well or in theory has already the capability to do so (in PKIX). Nelson might know when this will be due... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
