"Ohaya" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > > > Nelson B wrote: > > > > Ohaya wrote: > > > > > It turns out that what I thought was the CA's cert was actually a package of > > > certs for the root CA and for several sub-root CAs. [...] :(. > > > > > > Also during the PSM import thing, it displays just the name of one of the > > > sub-root CAs, and it appears that when I check the purposes checkboxes, it > > > is setting the purposes for just that one sub-root CA cert (i.e., not for > > > the root CA cert, and not for any of the other sub-root CA certs). > > > > PSM's specification for the import of certs is found at > > http://wp.netscape.com/eng/security/comm4-cert-download.html > > > > Here is a relevant excerpt from that specification: > > > > > Several of the formats described above can contain several certificates. > > > When the Netscape certificate decoder encounters one of these > > > collections of multiple certificates they are handled in the following > > > way: > > > > > > * The first certificate is processed in a context specific manner, > > > depending upon how it is being imported. For the Communicator, this > > > handling will depend upon the mime Content-Type that is used on the > > > object being downloaded. For Netscape servers it will depend upon the > > > options selected in the server administration interface. > > > * Subsequent certificates are all treated the same. If the > > > certificates contain the SSL-CA bit [...] and do not already exist in > > > the local certificate database, they are added as untrusted CAs. In this > > > way they may be used for certificate chain validation, as long as there > > > is a trusted CA somewhere along the chain. > > > > So, my guess is that the certs in this file you downloaded are not in the > > right order. > > > > > Nelson, > > Thanks. This discussion has been very helpful for me. > > I've used openssl pkcx7 to see what's in the file, and the certs in the > file are basically arranged something like: > > sub-root CA aaa > sub-root CA bbb > sub-root CA ccc > . > . > sub-root CA xxx > root CA > > I broke each of the certs out manually and it looks like all of the > sub-root CA certs are off of the single root CA cert. > > Given what you mentioned above, it seems like all of the sub-root CA > certs, and the root CA cert would get added as untrusted CAs, except for > the first one (sub-root CA aaa). > > I'm not sure if this makes sense, to me, anyway. What I mean by this is > why package ALL of the sub-root CA certs together like that (they don't > all form a single chain), since apparently only the 1st one will carry > the trusted purposes over once they're imported into PSM (and I checked, > and they have only one of these files, i.e., they don't have different > packages for different uses)? > > I wondering if, for some reason, they think that PSM will propagate the > trust purposes set for the first sub-root CA cert to all the other > sub-root CA certs in the file. > > I'm suppose to be meeting with some of the people from the CA tomorrow, > so I hope that I get the chance to ask this :)!! > > I'll post back if I find anything out. > > Again, thanks for all of your help (and patience). > > Jim
Nelson, I wanted to followup re. the above. Since that last post, I've been able to followup with the CA, and they are now investigating. The info that you provided was VERY helpful in getting them to recognize the possibility that something might be amiss, so again, thank you very much!! Jim _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
