Victor Probo wrote: > > Darrel wrote: > >> I've loaded Moz 1.1 and it has imported my Netscape 4.79 profile. I >> have 5 private certs from Thawte Personal Freemail used to sign and >> encrypt email. Each is good for a 1 year and 4 of these have now >> expired. I have an email encrypted with one of the now-expired certs. >> In NS 4.7, I can view the email; under Moz 1.1, I see a broken key >> icon and the email doesn't appear. Are my certs OK? Why can't I >> decrypt my old email? Does Moz refuse to use an expired cert? > > > I have found a similar problem with the FreeMail certs and > constructing the chain. What I found was that Thawte had a CA cert which > appeared with the name 'Personal Freemail RSA 2000.8.30' and was valid > from 8/29/00 through 8/29/2002 (serial # 0C, I think). At some point > thay generated a new signing cert with exactly the same DN but the date > range is 8/29/00 through 8/29/2004 (serial # > 66:45:72:B7:CC:74:F5:CF:63:76:45:84:D0:2E:91:01). > > In my cert storage (Authorities), both certs appeared, with the older > (lower serial number) entry being listed first. When trying to verify > newer certs (issued in Sept. this year) the PSM always said the chain > were not good. When I deleted the older (lower serial) cert, the problem > went away. But I also invalidated all the certs that were signed by the > older CA cert. > > From the observed performance, it appears that the PSM assumes that a > DN is unique (only one per database)and simply uses the first one found. > FreeMail certs also do not contain the extensions for Authority Key > Identifier and such to aid in identifying the signer. I don't know if > they would be used <<shrug>>; but if they did, you couldn't really tell > since they would probably be displayed only as OIDs and hex dumps. > > Victor Probo >
That may be it. I remember discovering a date change like you cite in my expired certificates. I thought that might be the problem so I deleted all the 2002 certs and re-fetched them from Thawte. After refeteching them, they all had the 2004 date. Netscape 4.7 doesn't mind and can decrypt the old messages. But Moz won't. I think I have a copy of the 2002 certs. I'll restore them and see if that works. Thanks for pointing it out! Darrel
