Hi Jacob, I think you get confused by My colleague Li-Chun's email because he mentioned a lot about using self-issued certificates for key-rollover, AIA certificate chaining support, and the bug of Microsoft IIS (note: not IE browser) in handling self-issued certificates. All these are actually off-topic. We are sorry if his email confused you.
Here I would like to clarify that we are not here to asking for supporting self-issued certificates or AIA certificate chaining. We are here to simply request Mozilla to accept our second generation of Government Root CA certificate. Currently, our first generation of Government Root CA certificate has alreading been in the trust list of Mozilla. After Mozilla accepting our second generation of Government Root CA certificate, our certificate chains for SSL will look like the following: 1. Government Root CA (first generation) --> GCA (first generation) --> SSL Cert 2. Government Root CA (second generation) --> GCA (second generation) --> SSL Cert This is the same as the situation of other root CAs performing key-rollover. One thing different with what other commercial CAs is that we do not change the issuer DN when our root CA perform key-rollover. I have already explain a lot of this in this discussion thread. According our tests, using the same issuer DN between generations of root CA certificates actually will not cause problem for browsers to perform certificate chaining. Therefore, please do not worry about it. > > The mistake was to use a part of those standards which is often > problematic in the real world. For example, according to your > presentation, when IIS builds server certificate chains to send to > clients, it compares only the DN, causing problems when non-AIA- > downloading browsers visit IIS-powered sites with GCA certificates. Since this is off-topic, I would not like to spend a lot time and space to discuss self-issued certificate and AIA issues here. However, to make a quick clarification, browsers do not have problem if the certificate chain contains self-issued certificates. Actually, even Microsoft's IE can handle certificate chains containing self-issued certificates. It is Microsoft's IIS can not correctly send the certificate chain to the client side. Other https server such aa Apache have no problem with certificate chains containing self-issued certificates. > > It is a technical mistake in believing all software handles multiple > certificates with the same DN, not a legal mistake in reading a > document saying this should be permitted. > As I have mentioned, browsers actually do not have problem with the same issuer DN between generations of root CA certificates. Wen-Cheng Wang _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
