Jean-Marc Desperrier wrote: > > Nelson B a �crit : > > Jean-Marc Desperrier wrote: > >> bassie a �crit : > >>> When I import the CA certificate that issued the end-user certificate > >>> TBird validates the signature, even without a Root CA in the > >>> certificate store! > >> > >> This much is normal behaviour. > > > > It is? > > > > I'd sooner guess that TBird is automatically marking the imported CA > > cert as trusted. That would be a serious bug in TB. > > Oh, I supposed that bassie had explicitely marked the intermediate CA as > trusted, but was surprised that the import of the root was not required > as is the case with some other products.
I don't know about mail certificates, but this is indeed how Web certificates work in Mozilla. Intermediate certificates are grouped with root certificates under "Authorities". If you have an intermediate certificate in your database, you can mark it trusted without having the root certificate, in which case you don't need the root certificate. However, proper setup of a secure Web site involves having not only the site certificate on the server but also copies of any intermediate certificates on that server. Then the visitor can authenticate the site with only a trusted root certificate. I recently ran into a secure Web site where the site certificate used an intermediate certificate. The issuer of the root certificate is not listed by WebTrust because the company no longer exists, having been bought by another company. I had marked the root certificate as untrusted when WebTrust could not (at that time) certify that the acquisition did not impair its trustworthiness. This prevented me from authenticating the Web site. However, the intermediate certificate had been issued by a start-up CA, who (by then) did have the WebTrust seal. I imported the intermediate certificate and marked it trusted, which now allows me to authenticate the site. (Today, that root certificate is also marked trusted in my database per communication from WebTrust.) -- David E. Ross <http://www.rossde.com/> I use Mozilla as my Web browser because I want a browser that complies with Web standards. See <http://www.mozilla.org/>. _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
