Hi Chris, The answer is that UI for picking one cert for signing and one cert for encryptions is a slight lie. When Mozilla goes and grabs the cert it calls a function FindCertByUsage() which returns the appropriate certificate among several with the same subject. All certs with the same subject should be attached to the same personality, so if two different certs are appropriate, then it shouldn't matter which is chosen (NSS will chose the 'most up to date' of the two).
If you need to distinguish between two certs, you should have different subjects for those certs. This is because a given use will eventually have many certs for their personality -- one for encryption (which may be escrowed), one for authentication, and one for signing.... plus old expired versions of these certs as the user renews them. You don't want to reselect these certs every time. You don't want to be changing your cert selection everytime you renew. Initially there was only one selection box for your cert, and the use of encryption verse signing was completely handled in NSS. That underlying code still exists, which I think the original UI designer did not realize. (The UI does allow you to select an encryption cert that has a different personality than our signing cert, which may be useful in some exceptional cases, but in general I think, for the most part, it leaves a misleading impression on the user.). bob Chris wrote: > I'm working with my smartcard PKCS #11 module and I have 2 certificates > available that can be used for signing messages. Both certs are tied to > the same e-mail address and have the same subject. > > Mozilla lets me pick which one I want to use for signing e-mail (Account > Settings->Security) but it only seems to use one of them when it > actually performs the signing of the message. No matter which one I > pick in the dropdown, it always uses the same one. > > This seems like a bug in Mozilla but I wouldn't rule out the possibility > of problem being on my end if there is something special Mozilla > requires to be able to pick a particular certificate when it performs > the signature operation. > > Any thoughts? > > -- > // Chris >