Mele wrote:
Help is of little help when it comes to this entire area of Certificate
Management. That section of Help really needs a HUGE rewrite. Your
explanation is excellent. Why can't something like it be incorporated into
Help? I think the Certs section of Help is the skimpiest, most
unsatisfactory area. Even Help for Fx 2.0 beta 1 is poor in this regard.
Two quick points:
1. This is an open source project, and as such anyone is welcome to help
out and improve the help text, if there are any volunteers out there who
have the time and interest in doing this.
2. If volunteers aren't forthcoming, this may be an area where it's
worth the Mozilla Foundation making a grant or two to support work in
this area. To the NSS/PSM developers: If you know of anyone interested
and capable of doing this work, please feel free to contact me.
I have another question: How do the profiles affect, if at all, the
certs?
I'll leave this question to someone else, as I don't know the answer
"off the top of my head" and don't have time right now to investigate
the question.
Before I fall asleep here:
beta.microsoft.com
blogs.technet.com
Two sites that Fx says the certificate cannot be trusted.
I looked into this topic a bit, and found a blog post addressing this
general question, as well as a Bugzilla bug report:
http://blogs.msdn.com/larryosterman/archive/2004/06/04/148612.aspx
https://bugzilla.mozilla.org/show_bug.cgi?id=245609
The short answer is that the Microsoft servers in question are not
configured as typically recommended for SSL and TLS. They send to the
browser an SSL/TLS server certificate, but do not send the rest of the
certificates in the so-called "certificate chain", i.e., the certificate
of the intermediate CA issuing the server cert (Microsoft Secure Server
Authority in this case), the cert of the intermediate CA above that, and
the cert of the root CA at the top of the hierarchy.
In this case it appears that Firefox (and other Mozilla-based products)
actually have pre-loaded the root CA under which the Microsoft CA certs
are issued, but because the Microsoft servers don't send the full cert
chain Firefox doesn't know which root CA is the one to use.
IE doesn't throw an error because Microsoft chose a different way of
handing the case when a full cert chain isn't sent from the server. I'll
simply say that there's legitimate disagreement over whether the
Microsoft approach is actually consistent with the relevant standards,
and leave it at that.
(We've had frequent discussions in the mozilla crypto forum about this
issue, and I don't have time to try to summarize all the differing
positions and their pros and cons.)
There are not as
many Microsoft secure sites with this problem as there were even six months
ago.
That's because over time Microsoft has reconfigured its servers to be
more in line with what CAs typically recommend.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
