John Gardiner Myers wrote:
This has been filed as bug 235585. Currently, PSM is determining what
to fingerprint itself, it isn't calling into NSS. I'd appreciate if you
could provide details of what was changed and when in the bug, so I can
decide whether to fix it or not.
Several points
Julien Pierre wrote:
Thanks for tracking the problem down with the certificate !
Well, I try to not only be the guy who constantly bugs you about the
/right/ way to validate a CRL ;-)
___
mozilla-crypto mailing list
[EMAIL PROTECTED]
Jean-Marc Desperrier wrote:
I didn't require that :-)
I believe this also means you use the same alg as Microsoft CAPI which
makes things simpler for everybody.
And the specification for that algorithm would be where ?
The signed part of them should. The unsigned part is not required to.
Can
Henrik,
Henrik Gemal wrote:
Thanx for the into Pierre.
First name is Julien actually...
2
Could you help determine the cause of this alert to I can report it to
the server admins.
I narrowed it down to these URL. To reproduces first go to:
https://i.tdconline.dk/tdco/gfx/local/sso/knap_q.gif
Henrik Gemal wrote:
I narrowed it down to these URL. To reproduces first go to:
https://i.tdconline.dk/tdco/gfx/local/sso/knap_q.gif
then go to:
https://bestilling.certifikat.tdc.dk/csp/authenticode/README
You found a *very* interesting case.
The culprint is the third certificate in the
Jean-Marc,
Jean-Marc Desperrier wrote:
But the fingerprint of the two certificates do not match anymore, so NSS
reports them as two different certs with the same serial number.
Maybe for *that* particular case, NSS should use a fingerprint based on
the signed part of the cert.
It is annoying
Julien Pierre wrote:
First, both NSS and OpenSSL are now using the same algorithm to
compute fingerprints - on the entire certificate encoding, not the
signed part. We had complaints that it was different and made it match
(I don't remember what the difference was, as I didn't write the fix,
Henrik,
I thought the message made it quite clear that it is a problem with the
server. There could be a lot of reasons for this, but the main one is
somebody is trying to play CA and does not know the rules of PKI. They
may have issued multiple server certs with the same serial number, or