>> Earlier this month, I went to a secure Web site where the site's >> certificate was issued by Comodo, which did not yet exist in my >> Mozilla 1.7.2 database (now upgraded to 1.7.3). I downloaded and >> added the necessary Comodo CA certificate -- Comodo Class 3 >> Security Services CA -- because it is on Mozilla's "approved but >> pending" list at >> <http://www.hecker.org/mozilla/ca-certificate-list/>. But I still >> had a problem. It turned out that the Comodo certificate was >> signed by the GTE Cyber Trust Global Root certificate, which I had >> disabled (but not deleted) because GTE Cyber Trust is not on the >> WebTrust list.
Companies setting up as PKI service providers often chain their CAs to an existing embedded root to provide ease of use to their customers. As the CA gets established, it will set up its own root, acquire audits, and seek to get it widely embedded. When that new root is widely accepted, the CA will begin to issue certificates from the new hierarchy, eventually retiring the CA that was chained elsewhere as its certificates expire. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
