On 15.07.2004 01:28, Nelson Bolyard wrote: > In this case (x-x509-email-cert) it really only means that the cert is > a valid cert for encryption of S/MIME emails. It's a valid SMIME > email recipient cert, having the necessary extensions and names for > that purpose.
Hm, I've to do a search on what's necessary for this. > > For application/x-x509-ca-cert: > > - Is Mozilla supposed to import several certs that aren't chained? > > The intent here is that the first cert is a root CA, and the ones > following it may be subordinate to it. They may or may not form a > single chain. This mime type is used to import a ROOT CA cert, and > other CA certs that, while not explicitly trusted individually, should > receive implicit transitive trust from their issuer when doing chain > validation. And there may be various root CA certs in the package? Currently a bad person can put a trustworthy cert (e.g. ) at the top, the user approves it and any other certs, related to the first one or not, root cert or not, get also imported without alert. > If the CA from which this package of certs is being imported is trustworthy, > then the whole "package" of certs imported should be valid. If any cert > in the package is invalid, that perhaps you really shouldn't trust > this CA or ANY of the certs in the package. With "from which this package of certs is being imported" do you mean the topmost cert or the URL from which the package comes? > I think it's reasonable to impose a requirement that x-x509-user-cert > and x-x509-email-cert import a single chain, but not necessarily an > ordered one (For backward compatiblity). For those MIME types, I'd say > just discard any certs not part of a valid chain. I now have it so far that ImportEmailCertificate() and ImportUserCertificate() get a CERTCertificateList that contains a chain from the leaf down to as far as possible. In the ideal case this bottom cert is a root cert delivered in the package. But it could also be a root cert from the Perm DB (if only intermediate CA certs were present in the package but the last have been signed by an already known). In other possible cases the last cert can be an intermediate CA cert from the package but also an intermediate CA cert from the Perm DB. If the last cert in the chain is a trusted CA from the DB we can import the chain without question I guess. In any other case we've to alert the user. So the question for me is now, what certs to present to the user in that alert? While we shouldn't pass on the mail cert itself the cert on the end of the chain should get presented too, yes? Christian _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
