On Dec 31 2008, 12:28 am, "Kyle Hamilton" <aerow...@gmail.com> wrote: > (note: "unknown_issuer" without talking at all about who the issuer > claims to be
you're missing a critical point: the issuer is something about which we know nothing. someone could claim "issuer: GOD" or "issuer: POTUS" or "issuer: VeriSign". Without verifying the issuer, we can't and should neither attest to nor show it. And sadly, that's why it isn't shown. Now, we could perhaps show a fingerprint (minus the fact that MD5 is at risk), but I tried searching for some fingerprints and haven't gotten good hits. http://eklhad.net/linux/app/ssl-certs turns up for MD5 fingerprint searches, but nothing shows up for the sha1 fingerprint i checked. - the nss certutil code appears to be able to print sha1s too > -- and being able to download a certificate and then accept it it's true we don't do particularly well with chains, however i've rarely seen a useful misconfigured server with a partial chain and a missing root. if someone provides me with such a service, i'll see about trying to improve the user experience -- note that i'd prefer to start with an instance of a real broken server, since otherwise it's fairly pointless, however i could do the work from an example. > without having to see who it's issued by -- is a "WTF WAS > THE SECURITY TEAM THINK--WAIT, WAS THE SECURITY TEAM > THINKING??!!!!" situation. they were thinking about it more than you were. calmer heads with more thought prevailed. and what's important is that when our users get angry or panic, we don't want them accidentally doing something they'll regret later. (hopefully you regret shouting in a public forum. personally i tend to regret each time i post anywhere.) _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
