Victor Probo wrote:
> 
> Darrel wrote:
> 
>> I've loaded Moz 1.1 and it has imported my Netscape 4.79 profile.  I 
>> have 5 private certs from Thawte Personal Freemail used to sign and 
>> encrypt email.  Each is good for a 1 year and 4 of these have now 
>> expired.  I have an email encrypted with one of the now-expired certs. 
>> In NS 4.7, I can view the email; under Moz 1.1, I see a broken key 
>> icon and the email doesn't appear.  Are my certs OK?  Why can't I 
>> decrypt my old email?  Does Moz refuse to use an expired cert?
> 
> 
>   I have found a similar problem with the FreeMail certs and 
> constructing the chain. What I found was that Thawte had a CA cert which 
> appeared with the name 'Personal Freemail RSA 2000.8.30' and was valid 
> from 8/29/00 through 8/29/2002 (serial # 0C, I think). At some point 
> thay generated a new signing cert with exactly the same DN but the date 
> range is 8/29/00 through 8/29/2004 (serial # 
> 66:45:72:B7:CC:74:F5:CF:63:76:45:84:D0:2E:91:01).
> 
> In my cert storage (Authorities), both certs appeared, with the older 
> (lower serial number) entry being listed first. When trying to verify 
> newer certs (issued in Sept. this year) the PSM always said the chain 
> were not good. When I deleted the older (lower serial) cert, the problem 
> went away. But I also invalidated all the certs that were signed by the 
> older CA cert.
> 
>  From the observed performance, it appears that the PSM assumes that a 
> DN is unique (only one per database)and simply uses the first one found. 
> FreeMail certs also do not contain the extensions for Authority Key 
> Identifier and such to aid in identifying the signer. I don't know if 
> they would be used <<shrug>>; but if they did, you couldn't really tell 
> since they would probably be displayed only as OIDs and hex dumps.
> 
> Victor Probo
> 

That may be it.  I remember discovering a date change like you cite in 
my expired certificates.  I thought that might be the problem so I 
deleted all the 2002 certs and re-fetched them from Thawte.  After 
refeteching them, they all had the 2004 date.  Netscape 4.7 doesn't mind 
  and can decrypt the old messages.  But Moz won't.  I think I have a 
copy of the 2002 certs.  I'll restore them and see if that works. 
Thanks for pointing it out!

Darrel


Reply via email to