On 9/8/2021 8:25 μ.μ., Dimitris Zacharopoulos wrote:
On 14/5/2021 2:58 π.μ., Ryan Sleevi wrote:
*
Cross-certification adds another certificate to the chain,
which is sometimes difficult for customers to configure, and
S/MIME clients do not process cross certificates very well.
*
Mozilla should distinguish between root CAs supporting
serverAuth certificates vs. S/MIME certificates, and Mozilla
should keep the email trust bit and remove the websites trust
bit to help bridge the transition.
These are somewhat reasonable, although the statement about S/MIME
clients is one that demands evidence, and is a little suspect based
on the major implementations I've examined in the past. Supported
with concrete data, it might be reasonable to treat a TLS transition
independent of an S/MIME transition.
We were able to reproduce and confirm past findings on this issue
regarding the S/MIME agents not using cross-certificates in the chain.
Minor correction. "not using cross-certificates in the chain" --> "not
*adding *cross-certificates in the chain" during the signing operation.
The signer would need to do weird "tricks" with the local trust store to
make the agent add the cross-certificate in the chain.
Our tests were performed using Thunderbird as sending agent and
TB/Outlook as receiving agents.
Sending agent trusted old and new Root and included the
cross-certificate in local certificate store.
The signed email contained only the Intermediate Certificate that
chains to the new Root. There was no way to "dictate" TB to include
the cross-certificate in the signature.
The receiving agents trusted only the old Root.
The receiving agents did not attempt to follow the AIA CAIssuers URI
in order to get the cross-certificate, therefore the path validation
failed and the signature was marked invalid.
Dimitris.
--
You received this message because you are subscribed to the Google
Groups "[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send
an email to [email protected]
<mailto:[email protected]>.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b8891dcf-b042-4514-2324-61d0cc101c13%40it.auth.gr
<https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/b8891dcf-b042-4514-2324-61d0cc101c13%40it.auth.gr?utm_medium=email&utm_source=footer>.
--
You received this message because you are subscribed to the Google Groups
"[email protected]" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/52b1658d-fc04-3603-c968-4ae68f92bd97%40it.auth.gr.
