"Nelson Bolyard" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Melelina wrote: > >> The cert is issued to www.microsoft.ipsos.com by Verisign. > > Or it appears to be. > >> I want to use Fx at Microsoft sites and I am very tired of Fx problems >> with >> Microsoft certs > > But you haven't yet shown any evidence of FF having a problem with a > Microsoft site. The site you cited is NOT a Microsoft site. The cert > for that server claims to have been issued to: > > O = IPSOS-REID Corporation > L = Winnipeg > ST = Manitoba > C = US > > (Heh, I guess the US must have annexed Manitoba when I wasn't looking. :) > > If you DO have troubles with real Microsoft web sites, you can let me > know. > I have contacts among Microsoft web site admins, and when I report a > problem with their servers, they often (not always) get fixed. > They always reply, somewhat red faced, that they only tested with IE. > I have no contacts in Manitoba. > >> and now there is the problem of Fx not having the new >> Verisign intermediate cert > > Verisign's class 3 intermediate CA cert is not new. It was issued on > April 16, 1997, 10 years ago (next month). It has been continuously > in use by thousands of web sites all that time, with NO difficulty by > mozilla browsers. > > Recently, Verisign discontinued issuing certs from their older "RSA > security" root. Their customers (web site administrators) had been > using server certs issued from the old RSA Security root for years, > and had never in their lives ever installed an intermediate CA cert > into their servers. Then, when they applied for renewed certs, they > got certs issued by Verisign's class 3 intermediate CA. Verisign's web > site explained to its subscribers the need to install the Intermediate > CA cert into their servers. > > <http://www.verisign.com/support/advisories/page_029264.html> > <http://www.verisign.com/support/advisories/page_040601.html> > <http://www.verisign.com/support/advisories/page_040611.html> > > even in other languages (such as Japanese, here translated into English): > <http://babelfish.altavista.com/babelfish/trurl_pagecontent?lp=ja_en&url=http%3A%2F%2Fwww.verisign.co.jp%2Fserver%2Fabout%2F2006rollover%2Fssid%2Findex.html> > > But many Verisign customers took no notice of those instructions. So, > those web sites, operated by people who didn't read the notices, now have > problems. > > The fault isn't FireFox's, nor Verisign's. > >> and it wanting to rely on root certs that are no longer used by Verisign. > > Wrong, on several counts. > > 1. Verisign's old RSA Security Secure Server authority cert doesn't > expire until 2010. Until then, server certs issued by that CA will > continue to validate against that root CA cert. > > 2. ALL certs are verified by following a "chain" (or "path") of > CA certs, beginning with the issuer of the server cert, then the issuer > of that cert, and so on, until we come to a root CA cert (which is its > own issuer). If the chain is incomplete, so that we cannot follow it > all the way to the root, then the server cert cannot be verified. > > Servers that send out incomplete cert chains are violating the standards > for SSL 3.0 and/or TLS (SSL 3.1), which require servers to send out > their entire cert chains, up to (but not including) the root CA. > An SSL server that doesn't send its intermediate CA certs is simply > non-conformant and mis-configured. > > RFC 2246, the standard definition of TLS (SSL 3.1) says: > > certificate_list > This is a sequence (chain) of X.509v3 certificates. The sender's > certificate must come first in the list. Each following > certificate must directly certify the one preceding it. Because > certificate validation requires that root keys be distributed > independently, the self-signed certificate which specifies the > root certificate authority may optionally be omitted from the > chain, under the assumption that the remote end must already > possess it in order to validate it in any case. > > Yes, there is a standard for certs that allows (but does not require) > "relying parties" to go search on the internet for missing intermediate CA > certs. But that standard does NOT relieve SSL servers of the obligation > to > send their entire server cert chains (minus the root CA cert, which is > optional). > >> At least this is what I understand the situation to be from threads at >> Mozillazine and dslreports security forum, etc. If this is not the case >> please enlighten me. > > Ah yes, those fonts of indisputable truth. :) > > The problems need to be fixed where they exist, in the misconfigured > servers. Of course, it's easier to complain to mozilla, where in many > cases you're more likely to get a reply, but the problem will be fixed > when a sysadmin in Winnipeg fixes his server configuration. Maybe > you can help him/her hasten that day. > > /Nelson B (mozilla SSL developer, IETF TLS member, co-author RFC 4492)
Sigh. It is a Microsoft partner site. On http://www.microsoft.com/mscorp/marketing_research/wwcustomersurvey/default.mspx is a statement that says: "If you have received a Microsoft branded e-mail invitation from Ipsos Loyalty (@satisfaction.microsoft.com) to participate in this research, you can trust that the invitation was sent on our behalf. This is a valid Microsoft survey." This is ipsos which is headquartered in Paris but has North American offices one of which is in Canada: http://www.ipsos.com/where/Northamerica.aspx The microsoft.ipsos.com is on rackspace.com which is another Microsoft partner. Firefox should not bork at this Microsoft partner site. The certs are at the site and IE has no problem getting them. I should have known better than to bring up the Fx certs issue. It is one of the weak spots in Fx and I'm tired of the problems. I'm also tired of giving the IE fanatics ammunition against Fx. You didn't explain anything I didn't already know. You just blamed the server at the Ipsos site. IE has no problems getting the certs. In essence you could be thought to be saying "just use IE" as you offered excuses and pointed blame away from Fx. Maybe the blame is on a misconfigured server but finger pointing doesn't get the problem solved. You did not offer one constructive idea of how to fix this sort of problem that Fx has, but IE doesn't, other than complain to the webmaster or better just go "use IE". _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
