On 03/23/2009 06:29 AM, Nelson B Bolyard:
1) When the user downloaded his new email cert in his browser, he didn't
get the full chain, but only got his own cert. So, he didn't have the
complete cert chain in his browser when he exported it to a PKCS#12 file.
If the cert chain had been complete in the browser, then it would have
been complete in the PKCS12 file, also, and the entire chain would have
been imported into Thunderbird.
The incomplete chain downloaded into Firefox is the problem that must be
fixed. It's the most crucial. I don't know if it's entirely an issue
in the CA (:-) or also partially in Firefox.
Unfortunately Firefox DOES NOT include the chain in the PKCS12 file even
if the complete chain is present in the browser.
2) As you know, NSS 3.12 has the ability to share a single DB pair
between the browser and Thunderbird, but that feature has not yet been
put to use in either Firefox or Thunderbird.
Yes, that's unfortunate too.
3) Mozilla email clients do not require that the client have a complete
chain for its own cert in order to send a signed or encrypted email.
That's to all of my knowledge not correct. TB requires the complete
chain otherwise the certificate is not trusted, hence it will refuse to
sign.
Maybe we should change Thunderbird so that it won't let you send a
message with an incomplete or unverifiable chain.
To all of my knowledge this is what happens today.
4) Maybe, at the time the user downloads his newly issued cert, we could
warn the user "You've just downloaded a cert with an incomplete chain
that will cause you no end of grief until you get the missing certs.
Please contact your CA." :)
That would be helpful hint. But overall I believe that we should start
to fetch them, both at Firefox and Thunderbird. It's required from the
usability point of view.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
