Nelson B. Bolyard wrote:
fecund wrote:
Using Mozilla 1.2 alpha, and having trouble accessing many sites when
OCSP validation is turned on. The typical error is:
" Error trying to validate certificate from secure3.ingdirect.com
using OCSP - response contains a date which is in the future. "
What I'd like to see in the above error:
the site it used to validte said certificate
the invalid date
eg: " Error trying to validate certificate from secure3.ingdirect.com
via www.verisign.com using OCSP - response contains a date
'99/99/9999' which is in the future. "
Did it really say 99/99/9999 ?
Or did you substitute 9s for the real numbers?
Look more closely- what I want is an error message that shows me the
date. I wish I knew the date on the certificate, so I could see if it
is indeed incorrect. Here's hoping someone looks up that error in the
Mozilla source, and makes it more verbose.
I turn off OCSP verification, and examine the site's certificate with
"Page Info". It says "The web site secure3.ingdirect.com supports
authentication for the page you are viewing. The identity of this web
site has been verified by VeriSign Trust Network, a certificate
authority you trust for this purpose." - I assume there is some
alternative to OCSP that Mozilla used to check ingdirect's
certificate.
mozilla/NSS verifies that
- the server cert name matches the host name in the site's URL, and
- none of the certs has expired, and
- the signature in each cert is verifiable using the public key in the
issuer's cert, and
- the cert chain ends with a root CA cert that is known to and trusted by
mozilla, as so-called "trust anchor", and
- none of the certs is restricted from being used for SSL by any cert
extensions, and
- a few other details (path length constraints, name constraints).
This is normal certificate chain validation.
OCSP merely verifies that the certs in question haven't been revoked by
the issuing CA. Without OCSP, and without a "Certificate Revocation List"
from the issuing CA, mozilla simply doesn't check the cers for revocation.
Thanks- I'll run NS7.0 without OCSP for now.
Nelson Bolyard
Disclaimer: I speak for myself, not for Netscape
