Eddy Nigg wrote, On 2009-03-23 08:30: > On 03/23/2009 06:29 AM, Nelson B Bolyard: >> 1) When the user downloaded his new email cert in his browser, he didn't >> get the full chain, but only got his own cert. So, he didn't have the >> complete cert chain in his browser when he exported it to a PKCS#12 file. >> If the cert chain had been complete in the browser, then it would have >> been complete in the PKCS12 file, also, and the entire chain would have >> been imported into Thunderbird. >> >> The incomplete chain downloaded into Firefox is the problem that must be >> fixed. It's the most crucial. I don't know if it's entirely an issue >> in the CA (:-) or also partially in Firefox. > > Unfortunately Firefox DOES NOT include the chain in the PKCS12 file even > if the complete chain is present in the browser.
I just tried it. I "exported" one of my personal certs to a p12 file in FF and then examined the p12 file. It contained the chain of 3 certs, including EE, intermediate and root. So I have an existence proof of my statement about the p12 files it creates. If TB now does attempt to validate the user's own cert before allowing him to sign with it, that's a "new" (though maybe not recent) development in TB. It didn't always. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
