Yes, that's exactly right. Sorry that I wasn't clear. I have a friend who's receiving signed emails from various people but he can't verify the signatures in Thunderbird because the certificate chain in the message doesn't quite reach back to any of his trust anchors. The missing certs are available online and could be fetched with AIA to build a complete path from his trust anchors to the signing certificate but Thunderbird doesn't seem to do that (which I call "path building").
I think libpkix was integrated into NSS 3.12 and path building is (or at least was) a feature of libpkix. Of course, integrating libpkix doesn't mean that every libpkix feature is enabled in NSS. And enabling those features in Thunderbird is another step beyond. I just figured that I would ask if there's some hidden configuration setting to enable path building or something. Thanks, Steve > -----Original Message----- > From: dev-tech-crypto-bounces+shanna=funk....@lists.mozilla.org > [mailto:dev-tech-crypto-bounces+shanna=funk....@lists.mozilla.org] On > Behalf Of Nelson B Bolyard > Sent: Friday, February 18, 2011 1:38 PM > To: mozilla's crypto code discussion list > Subject: Re: Path building in Thunderbird > > On 2011-02-18 10:22 PDT, Wan-Teh Chang wrote: > > On Thu, Feb 17, 2011 at 7:10 AM, Stephen Hanna <sha...@juniper.net> > wrote: > >> Does Thunderbird support certification path building? If so, how > >> is it enabled and configured? > > > > Hi Steve, > > > > I am confused by your question. An S/MIME client obviously must > > support certification path building by default. Did I miss > something? > > Wan-Teh, I suspect Steve is referring to active building of paths by > fetching missing certs from URIs in certs' AIA extensions. > > Steve, Have I surmised correctly? > > -- > /Nelson Bolyard > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
