Presence both of a pair of cross-certificates in the Authorities certificarte store results looping rather than traversing to a root certificate. Although the looping appears to end in the 5th scrolled image [See link to gallery below], that is ending at a cross- certificate and not a root. It appears the Mozilla function does the looping for a certain predetermined number of times then stops. Not sure at this point if this is a cosmetic issue of the path display feature or if this actually can cause multiple attempts at validation as a result of the looping. Certificate trust does not appear effected. Not that Microsoft Windows and OS X do not have this issue, although their methods of choosing the proper path to root varies, they do not get caught in a loop as this Mozilla implementation appears to do.
This issue is exhibited any CAs with cross certified certificates in the path to root being present, although I'm most familiar with it occurring with the US Federal PKI cross-certificates with the Federal Common Policy CA / Federal Bridge CA / DoD CAs. There are many cross certified CA's so this can happen many different ways even from one starting point depending on the collection of certificates and cross- certificates present in the Mozilla certificate store. The path should take only one of the cross-certificates that go to root and not loop back to a certificate used previously in the path to root. Link to image to show the looping activity reported as well as a proper path example: https://picasaweb.google.com/rdisiena/CrossCertificateLoopingMozillaBugReport?feat=directlink -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto