"Eddy Nigg (StartCom Ltd.)" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Gervase Markham wrote: > > > > IE will also have a similar problem, but only if it has never > > encountered a correctly-configured web server (i.e. it caches > > intermediate certs). So IE in new installs of Windows will also have the > > problem. > > > > > This is not correct! IE fetches the intermediate CA if it finds a CA > issuer extension within the subscriber certificate, which isn't really > by any RFC, but nevertheless very useful! Many server installations are > missing the intermediate CA files and IE gets around this problem in > this way...Something to consider for Mozilla Firefox? > > At our CA, we have a robot checking for missing ICA certificates....and > send an appropriate message to the subscriber...
Ah! A voice of sanity. Of course, Fx should have some method of obtaining these intermediate certs so that the user doesn't have to go look for them themselves as I have done! Microsoft and other sites are not going to fix their servers that quickly...if ever and Fx should have a way to work around that instead of haughtily insisting that standards aren't being met and that the poor user should just contact the website with the misconfigured server and complain. That is not realistic to ask that of the average Fx user. What the reality is currently is that Fx refusing to figure out a way, as IE has, to get these intermediate certs installed when servers are misconfigured is that Fx is encouraging the user to just ignore any popup warnings about the certs and to just click to accept any and all. It makes for a jaded user and invites security problems. In respect to how certs are handled, much as i love Fx, I think IE is superior in this regard. > > -- > Regards > > Signer: Eddy Nigg, StartCom Ltd. > Jabber: [EMAIL PROTECTED] > Phone: +1.213.341.0390 _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
