Michael Voucko wrote: > You are right, I just reinstalled 1.1 to see what this version thinks > about the data base created w/ 1.2b and everything is ok. > And yes, your are right, my cert includes an AuthorityKeyIdentifier.
Well, there's more to it than that. An Authority Key Identifier extension can contain a) the value of the issuer cert's "Subject Key Identifier", or b) The value of the issuer cert's Issuer name and serial number, or c) both. Most commercial CAs do a, some do b. AFAIK, none do c. b and c are less flexible than a because having the issuer's serial number in it doesn't accomodate CA cert renewal. There's some program that people are using to create their own certs that does c. I'd like to know what program that is. Please tell me what program you used to create your certs, or, if you got them from a CA, what CA you got them from. Thanks. > Thanks, I'll check again with the next release. > > BTW. is there a document or place to look for (beside the source code) > on how certificate extensions are interpreted by mozilla? No. I once wrote a document that explained how NSS processes 3 particular extensions, but I don't know of any document that described all the extensions that NSS handles. > Thanks again > Michael -- Nelson Bolyard Disclaimer: I speak for myself, not for Netscape
