Edward Liu wrote:
Nelson Bolyard wrote:
Edward Liu wrote:
I would say that handling of cert policies extensions is not
relevant to cert import UNLESS that extension is marked critical.
Was that extension marked critical in your cert?
I don't know. The .pfx file was generated by my stock broker.
Sad. If someone other than you generated your private key and sent
it to you along with your cert in a pfx file, then
a) that someone has a copy of your private key (unless they destroyed
every copy they have of it, which would be surprising), and
b) they're using PKI as a shared secret key system, rather than as a
public key system, and
c) whoever has a copy of your private key can impersonate you.
Personally, I would never accept a pfx or p12 file from someone else
for my own personal use, for these very reasons.
Is there any viewer to list the content ?
I'm not aware of any. That would be a good project for an aspiring
mozilla (or NSS) developer. Someone could extend NSS's pk12util to
list the contents without importing them.
> Do you mean we can write an empty extension for this and mark the
> entry as SUPPORTED_CERT_EXTENSION ? Thank you.
No. I didn't mean an extension of mozilla, I meant a thing inside
the certificate itself that is called an "extension". Certificate
extensions are optional parts added by the cert issuer.
Each extension in a cert has a flag (known as "critical") which tells
any person (software) who would rely on that certificate that
"if you don't understand this extension, then you must reject this
cert completely and not honor it".
mozilla honors extension criticality. If mozilla encounters a cert
with a critical extension that mozilla doesn't recognize, or that it
recognizes but does not implement, mozilla will not use the cert.
Cert policy extensions are presently a type of extension that mozilla
recognizes but does not implement. (any volunteers?)
Only the cert issuer can decide whether the extensions that he places
into the certs are going to be marked critical or not. There are
standards (e.g. RFC 3280) that say that some extensions must be
critical, and some must not be critical, and some may or may not be
at the discretion of the issuer.
If your cert issuer has placed a policies extension in the cert and
marked it critical, then you won't be able to use it with mozilla
until mozilla is enhanced to understand those extensions.
If your cert issuer has NOT marked the policies extension critical,
then we need to understand why (you believe that) mozilla rejects
the cert (refuses to import it) due to that extension.
(sorry of this seems pedantic.)
--
Nelson B
_______________________________________________
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
