Summary: I suspect that there's something wrong with the BUILT-IN Root CA cert UTN-USERFirst-Object in Firefox 3.0.1.
We were issued a code signing certificate which was signed by the UTN- USERFirst-Object cert built into Firefox (Comodo issues these). We have successfully signed our jar file with the certificate (verified with jarsigner -verify, etc.), however on Firefox 3.0.1 (on macosx), when our jar is loaded, we get a 'this applet was signed by <company name> however we cannot verify the signature' do you want to trust this applet? Showing the details lists our certificate, derived from the built-in UTN-USERFirst-Object certificate. I have verified that the signature on the UTN-USERFirst-Object shown in the dialog matches the internal one. Looking at the built-in certificates (using Preferences->Advanced- >Encryption, View Certificates) and scrolling down to The USERTrust Network list of certs -- pick the last one in the list, Viewing the certificate shows the message "Can't verify signature of this certificate for unknown reasons". I suspect that that is the problem; I do note that firefox 2.x on Windows does NOT display the scary dialog, and accepts the jar as signed. It also displays the 'Can't verify signature of this certificate for unknown reasons' message when viewing the built-in certificate (Which, in reading the archives of bugs from 2005, may mean something else entirely). Can someone tell me: 1) Why the built-in UTN-USERFirst-Object cert is not verifiable (why is it in Firefox, then?) 2) Why the behavior (if it's the same certificate in FF 2.x and 3.0.1) is different between FF versions? thanks, _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
