Ben Bucksch wrote:
Ben Bucksch wrote:
As I understand it, PSM/NSS will currently accept new certificates signed by trusted CAs, even if a *different* certificate is already known for that entity (I think even if the CA mismatches). Mozilla would show the lock / pen icon as if everything were OK and you'd never notice that you're now talking with the US government
Nelson, can you confirm or deny that, so that I can stop wondering? I don't feel like applying for 2 different certs just to try it out. If that problem indeed exists, I'd consider it a severe security problem and file a bug about it.
Then you should file a bug against the IETF and the ISO who created the PKI standards.
Seriously, I can confirm that the 2 certs will work. And under the PKI model, that's perfectly valid. A single entity, such as a user, can have an infinity of certs, for a variety of good reasons, such as having different keys, different usages (certs for encrypting and signing), getting multiple certifications for the same key, or simply renewing the cert .
There is no rule that any those certs must be issued by the same CA. In fact, there is nothing that binds the subject name (eg. a domain name for a web site, or an e-mail address for an individual) to a particular CA. That allows you to choose any CA you trust that will verify you to get your cert, as opposed to having that choice made for you.
If you don't like that choice, you should talk to the IETF and complain. I think you will be in good company, as people are actually working on protocols to make that determination, but they haven't become standard.
To give you a concrete example, when I worked at Netscape I had a cert with my business e-mail address from the corporate CA. I also had a second cert with my business e-mail address from Thawte. I used the former to login to internal corporate sites with client auth, and the later in my signed e-mails.
The internal servers enforced that they only trusted the corporate CA, and no root cert, so I only use my corporate cert to login. Any properly setup SSL server would have that property, so there is no security issue there.
For e-mail, things were different. Clients such as Mozilla trust a large set of CAs certs for e-mail, including both of the roots that my two certs chained to, GTE and Thawte. That meant I had a choice of which certificate to use for signing my e-mails. Unless they specifically checked the certs in my valid e-mail signatures, my correspondents could not tell which cert I was using.
Some corporate types might consider that a bad thing and require that I use my corporate cert and its escrowed key. The way to implement such a policy would be to distribute a custom e-mail client without any root certs for e-mail purposes, with only the corporate CA trusted for e-mail, without the ability to add e-mail trust to any other CA, and disallowing anyone from using any other e-mail program. It's not a practical policy to implement.
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
