On 09/18/2008 02:05 AM, David E. Ross: > Note that this is not a unique situation. See bug #390835 at > <https://bugzilla.mozilla.org/show_bug.cgi?id=390835>. Unfortunately, > Internet Explorer (IE) works around this situation by searching the > Internet for missing intermediate certificates. I consider this a > security vulnerability in IE. However, because of IE's behavior, many > Web server hosts ignore this problem (e.g., Canon, per bug #390835). >
Please note that IE isn't "searching" the Internet for missing certs, but is using the AIA CA Issuers extension of the server certificate to download the missing certificates. If the fetched CA certificate doesn't chain to a CA root it will not use it. If there is no AIA extension IE will also report an error (as with FF). There is absolutely no security issue at all with following the AIA CA Issuer extension, otherwise FF could not use the same extension to find the OCSP responder URL either. Nevertheless NSS does exactly that...uses the OCSP URL listed in the AIA extension. I've been banging my head against a wall here because of this FUD and about misinformation which is absolutely incorrect. Sad, because there are many FF users running into it. And it doesn't help to ignore the fact that web site admins don't install their certs correctly - it works in IE and that's it. Similar tweaks and corrections were made for FF if major sites didn't play nicely with standards in order to make FF usable. With the new error reporting for invalid certificates, this issue should have been solved beforehand. :-( -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
