Nelson,
Nelson B Bolyard wrote:
Eddy Nigg wrote, On 2009-03-23 08:30:
On 03/23/2009 06:29 AM, Nelson B Bolyard:
1) When the user downloaded his new email cert in his browser, he didn't
get the full chain, but only got his own cert. So, he didn't have the
complete cert chain in his browser when he exported it to a PKCS#12 file.
If the cert chain had been complete in the browser, then it would have
been complete in the PKCS12 file, also, and the entire chain would have
been imported into Thunderbird.
The incomplete chain downloaded into Firefox is the problem that must be
fixed. It's the most crucial. I don't know if it's entirely an issue
in the CA (:-) or also partially in Firefox.
Unfortunately Firefox DOES NOT include the chain in the PKCS12 file even
if the complete chain is present in the browser.
I just tried it. I "exported" one of my personal certs to a p12 file in FF
and then examined the p12 file. It contained the chain of 3 certs,
including EE, intermediate and root. So I have an existence proof of my
statement about the p12 files it creates.
If TB now does attempt to validate the user's own cert before allowing him
to sign with it, that's a "new" (though maybe not recent) development in TB.
It didn't always.
I think I put some code in PSM a very long time ago, around Mozilla 1.0
timeframe, that caused the mail S/MIME component to check the cert
before signing. There was a very good reason for that, which escapes me
right now. It was 7 years ago or so. bugzilla queries may find why.
I have never put code in Thunderbird though, nor ever used it.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
