Edy,
Eddy Nigg wrote:
>
> Neither Apache not IIS do that AFAIK.
I believe the Netscape/iPlanet/Sun web server does at least log a
warning when the server comes up if the cert cannot be verified, for
example, because of a missing intermediate.
However, if the intermediate cert was installed, b
On Thu, Jul 24, 2008 at 5:37 AM, Jean-Marc Desperrier
<[EMAIL PROTECTED]> wrote:
>
> For exemple about the shareable database, your response late in February
> about that was that there was still a lot left to do for it, and that
> you didn't see the point unless both Fx and Tb had it and it could
Jean-Marc Desperrier wrote, On 2008-07-24 05:37:
> For exemple about the shareable database, your response late in February
> about that was that there was still a lot left to do for it,
In NSS, yes. That work was completed, as planned.
> and that you didn't see the point unless both Fx and
Eddy Nigg wrote, On 2008-07-24 01:15:
> Nelson B Bolyard:
>> I believe that, within the Mozilla developer community, there is a widely
>> held misconception that NSS=PSM and the NSS team is the PSM team. But
>> that's really not correct. Most of the NSS developers are paid to work
>> on NSS but
Nelson B Bolyard wrote:
> Eddy Nigg wrote, On 2008-07-23 14:30:
>> Nelson B Bolyard:
>>> [...], when it sends the http get request to fetch the cert, it has
>>> not yet validated the cert from which it got the http URL, so it doesn't
>>> know if that URL is legitimate or from some hacker. It blind
Nelson B Bolyard:
>
> Only if the server cert is from a CA that follows a reasonable CP/CPS.
>
Obviously...
> The case of concern is the server with a self-signed cert, or cert from
> an unknown CA, that has an AIA extension that points to a tracking host
> of some sort. The chain won't validate
Eddy Nigg wrote, On 2008-07-23 14:30:
> Nelson B Bolyard:
>> Note that, when it sends the http get request to fetch the cert, it has
>> not yet validated the cert from which it got the http URL, so it doesn't
>> know if that URL is legitimate or from some hacker. It blindly fetches
>> whatever th
-critical extension, NIST requires the
support of this in PIV, and IMO for very good
reasons.
Anders Rundgren
- Original Message -
From: "Eddy Nigg" <[EMAIL PROTECTED]>
Newsgroups: mozilla.dev.tech.crypto
To:
Sent: Wednesday, July 23, 2008 18:26
Subject: Re: question about c
Nelson B Bolyard:
>
> Note that, when it sends the http get request to fetch the cert, it has
> not yet validated the cert from which it got the http URL, so it doesn't
> know if that URL is legitimate or from some hacker. It blindly fetches
> whatever the server at that URL sends it. Quite a few
Eddy Nigg wrote, On 2008-07-23 08:26:
> IE fetches CA certificates on its own if a service URL of the CA issues
> is present in the parent certificate, but NSS doesn't for now.
Rather, Firefox 3 does not use the facility of NSS that is capable of
fetching certs in that fashion.
NSS 3.12 has lo
Eddy Nigg wrote, On 2008-07-23 09:26:
> Well, the RFC requires the server to send any chained CA certificate up
> to the CA root. The server doesn't have to send the root CA certificate
> itself however.
Correct. The TLS RFC requires that the server sends the chain.
The fact that it is now po
Nelson B Bolyard:
> Eddy Nigg wrote, On 2008-07-23 08:26:
>
>> IE fetches CA certificates on its own if a service URL of the CA issues
>> is present in the parent certificate, but NSS doesn't for now.
>
> Rather, Firefox 3 does not use the facility of NSS that is capable of
> fetching certs in that
Peter Djalaliev:
> Ah, I see. From what I can see in the RFC, this usage is not really
> forbidden, but not really standard either. Generalizing my question,
> what kind of X509v3 extensions that NSS currently support? I am aware
> that CA often use these extensions in less-than-standard ways :)
Ah, I see. From what I can see in the RFC, this usage is not really
forbidden, but not really standard either. Generalizing my question,
what kind of X509v3 extensions that NSS currently support? I am aware
that CA often use these extensions in less-than-standard ways :)
Peter
On Jul 23, 11:2
Eddy Nigg:
> IE fetches CA certificates on its own if a service URL of the CA issues
/issues/issuer/
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
___
dev-tech-crypto mailing list
dev-tech-cryp
Peter Djalaliev:
> Hello,
>
> I tried connecting to http://suppliers.intel.com (which redirects to
> https://supplier.intel.com/supplierhub) from Firefox 3 and IE7 and saw
> two different certificate chains when I tried to view the server
> certificate. IE7 recognized the root certificate as comin
The correct initial URL is http://supplier.intel.com, redirected to
https://supplier.intel.com/supplierhub
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Hello,
I tried connecting to http://suppliers.intel.com (which redirects to
https://supplier.intel.com/supplierhub) from Firefox 3 and IE7 and saw
two different certificate chains when I tried to view the server
certificate. IE7 recognized the root certificate as coming from a
trusted issuer, whi
18 matches
Mail list logo
