Melelina wrote: > I don't have a server. I am a user who got an email from Microsoft asking me > to participate in a global survey of Microsoft's customer service.
Then you should reply and tell them their site is misconfigured, and that it throws up security warnings, and they should fix it. You can even tell them how to, as we've explained it in this thread. > There is no dialog when I try to visit the site that would allow me to > "Accept this certificate permanently" . That's strange - I get one. > As for root certs...Verisign has stopped that. They are no more. Verisign > certs are NO LONGER signed by a root authority. They have switched to an > intermediate authority only. They have spent two years switching and just > finished this month...hence all the problems because Fx hasn't kept up! The way it works is that certificates are in a chain. It used to be a chain of only two - the website cert -> the root cert. Verisign, for very good reasons, has switched to a chain of three - website cert -> intermediate cert -> root cert. And it's the webserver's responsibility to provide all the certs in the chain except the root. So the webserver certs are still signed by a root authority, indirectly. If they were not in a chain of trust linking to a root, then no browser would trust them. > already had. Explain to me how Fx is going to handle Verisign 2 step certs > if it won't keep the intermediate cert in the store? See above. > I don't care if Microsoft has a misconfigured server and I don't really > think that is the problem. I simply want Fx to accept the cert which it > should be doing. No, it shouldn't. I can create a cert which claims to be a "VeriSign Class 3 Secure Server CA" and sign my webserver's cert with it. If you then visit my website, you'll get exactly the same error as you see at the ipsos.com site. The ipsos one is genuine and my one isn't - but there's no way Firefox can tell that without a copy of the intermediate cert. Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
