On 14/5/2021 2:58 π.μ., Ryan Sleevi wrote:
*
Cross-certification adds another certificate to the chain,
which is sometimes difficult for customers to configure, and
S/MIME clients do not process cross certificates very well.
*
Mozilla should distinguish between root CAs supporting
serverAuth certificates vs. S/MIME certificates, and Mozilla
should keep the email trust bit and remove the websites trust
bit to help bridge the transition.
These are somewhat reasonable, although the statement about S/MIME
clients is one that demands evidence, and is a little suspect based on
the major implementations I've examined in the past. Supported with
concrete data, it might be reasonable to treat a TLS transition
independent of an S/MIME transition.
We were able to reproduce and confirm past findings on this issue
regarding the S/MIME agents not using cross-certificates in the chain.
Our tests were performed using Thunderbird as sending agent and
TB/Outlook as receiving agents.
Sending agent trusted old and new Root and included the
cross-certificate in local certificate store.
The signed email contained only the Intermediate Certificate that chains
to the new Root. There was no way to "dictate" TB to include the
cross-certificate in the signature.
The receiving agents trusted only the old Root.
The receiving agents did not attempt to follow the AIA CAIssuers URI in
order to get the cross-certificate, therefore the path validation failed
and the signature was marked invalid.
Dimitris.
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b8891dcf-b042-4514-2324-61d0cc101c13%40it.auth.gr.
