Hi, I read through the bug, the source and the spec at http://wp.netscape.com/eng/security/comm4-cert-download.html#communicator.
Nelson said, that mozilla still honors that spec but either it doesn't or I don't understand it right. For application/x-x509-email-cert: - First cert has to be a user cert. Does this mean no self signed cert? Or does it just mean the cA component has to be false and bits 5, 6, 7 of netscape-cert-type must not be set? - All other (following) certs in the data block have to be chained (i.e. sign its forerunner) to the first cert? - All other (if correctly chained) have to be inserted in the Authority tab? For application/x-x509-ca-cert: - Is Mozilla supposed to import several certs that aren't chained? Generally: - If not importing not chained certs, should Mozilla reject all certs in that data block or only the non-chained? Currently the tests in nsNSSCertificateDB::handleCACertDownload() are only loose and (AFAIK) not present in nsNSSCertificateDB::ImportEmailCertificate(). BTW, does the comment in CERT_ImportCerts at #2273 and following "if we are importing only a single cert and specifying a nickname, we want to use that nickname if it a CA" match the code? To me it looks like it's possible the nickname (not canickname) gets assigned while adding to perm also if it's no CACert. Christian _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
