Melelina wrote: >> This is not correct! IE fetches the intermediate CA if it finds a CA >> issuer extension within the subscriber certificate, which isn't really >> by any RFC, but nevertheless very useful! Many server installations are >> missing the intermediate CA files and IE gets around this problem in >> this way...Something to consider for Mozilla Firefox? >> >> At our CA, we have a robot checking for missing ICA certificates....and >> send an appropriate message to the subscriber... >> > > Ah! A voice of sanity. Of course, Fx should have some method of obtaining > these intermediate certs so that the user doesn't have to go look for them > themselves as I have done! Microsoft and other sites are not going to fix > their servers that quickly...if ever and Fx should have a way to work around > that instead of haughtily insisting that standards aren't being met and that > the poor user should just contact the website with the misconfigured server > and complain. That is not realistic to ask that of the average Fx user. > Well....actually the correct thing to do is to define and update the standards, because what MS does is wrong! They correct the problem their way in non-standard way and create more problems....IE is the problem, not all other browser which adhere to the standard...typically!!
But having said that, fighting MS is doing it the hard way...and depending the policy of Mozilla (which does some non-standard things if forced to ;-)), perhaps we should "fix" it the same way...does anybody know if such a bug already exists? > What the reality is currently is that Fx refusing to figure out a way, as IE > has, to get these intermediate certs installed when servers are > misconfigured is that Fx is encouraging the user to just ignore any popup > warnings about the certs and to just click to accept any and all. It makes > for a jaded user and invites security problems. In respect to how certs are > handled, much as i love Fx, I think IE is superior in this regard. It's not....but as usual creates problems for all the others...we have seen that in bad web site designs by webmasters and some sites which "don't work" in Mozilla, Opera...But Mozilla had to work around this problems as well...so this perhaps another one to tackle...? BTW, the ICA certificates gets installed into the IE cert store permanently after fetching them...but they weren't there from the beginning. If you'd import now the same ICA cert into the authorities store at Firefox you should be OK as well...for now... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
