Alan Dobkin wrote:
> Does Mozilla/NSS have a policy for adding "Intermediate Certification > Authorities"?
Yes. At the present time, we are not adding intermediate CA certs to the store of trusted CA certs.
> In particular, I am interested in the "Starfield Secure > Certification Authority", owned by "Starfield Technologies, Inc." > (a.k.a. GoDaddy).
Correctly configured SSL servers featuring Starfield certs work just fine with Mozilla, and without any mozilla user intervention.
If you're operating an SSL server with a starfield cert (as I gather you
are) and it doesn't work with mozilla, I'll bet that your server is
sending out only the server cert itself, and is not also sending out the intermediate CA certs, as is required by the relevant SSL and TLS standards.
If that is the case, the solution is not for you to ask mozilla to change the browser, but rather is for you to configure your server to send out the proper cert chain. Once that is done, mozilla will work with your server just fine, and you won't have to wait for a mozilla change, nor will you have to inform any mozilla users how to make unnecessary configuration changes to their browsers.
> They are certified by WebTrust (description below).
As is their issuer, whose root cert is already in mozilla's cert store. Any SSL server that sends out the intermediate CA certs will already appear trusted without user intervention. That is how SSL is designed to work, and that is the server behavior required by the standards.
> In addition, they are already included in Microsoft Internet Explorer, > which makes a strong argument for including them in Mozilla.
When MSIE encounters an intermediate CA cert in a COMPLETE cert chain, so that the intermediate cert can be properly validated, MS IE automatically adds that intermediate CA cert to its local cert store. AFAIK, IE's UI for displaying that cert store does not visibly differentiate between certs added by MS, and those added automatically from the net. This creates confusion about the source of a particular cert in the store.
Mozilla does not automatically add encountered CA certs to the store,
because it's unnecessary for succcesful operation with standards compliant servers, among other reasons.
> In the IE Certificates window, there is a tab for "Intermediate > Certification Authorities". There are currently 18 (at least on my > system) CAs listed here, including Starfield and several other providers > (6 are for Microsoft themselves). There is no similar tab in the > Firefox Certificate Manager,
True. Mozilla displays root and subordinate (intermediate) CA certs together in one tab. Having a separate tab wouldn't help.
> Here is a link to the Starfield Technologies, Inc. Repository, which > contains their Intermediate Certificate, and the Root Certificate for > their provider, ValiCert: > https://certificates.starfieldtech.com/Repository.go > > Please let me know if I should open a corresponding Bugzilla request.
Valicert is trusted in mozilla now, IINM. SSL servers that send out complete cert chains that chain up to Valicert's root work now.
So, I don't see any problem here that requires a change to mozilla's list of trusted certs. I don't see any problem here that requires users to make any changes to their browser configuration. I see only an issue here that requires servers to be configured to comply with the standards.
> Thanks for considering this issue!
-- Nelson B _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
