On 01/29/2009 02:31 PM, Jean-Marc Desperrier:
Gerv, what about changing the Firefox SSL page/implementation so that in that situation, for those 99% of the market, it gives the most informative information, non scary, non blocking possible ? Even when there was an error in the configuration ?
The problem is, that the browser can't currently know which CA root is responsible for the end user certificate, because NSS doesn't fetch the issuer CA certificates. Would it do that, it could build up a valid chain up to a known root (or not). The solution to the problem would really be to fetch the missing certificates when an issuer URI is present in the certificate until it finds a valid root. In this way 99% of all errors could be omitted.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
