Nelson,

Nelson Bolyard wrote:
David Stutzman wrote:

I don't know if this has been covered here before.  I did a quick search
through bugzilla and didn't find anything so here goes.  If this isn't
an existing issue I'll be happy to file a feature request bug.  I was
thinking about how the certificate trust settings gui works and if you
select all the trust settings for a root CA you do not have to select
any options at all for any subordinate CAs.  If you open the trust
dialog for a subordinate CA whose root CA is fully trusted then usually
all the check boxes are left blank.  What would be nice to see is a
grayed out check box for all the trust settings that are being inherited
from above the current CA you are looking at so you can tell that this
CA *IS* being trusted.

Dave


AFAIK, no one has previously requested an indicator of inherited trust,
but it seems reasonable to me.  Please file an RFE in bugzilla.  Thanks.

But trust actually is not inherited. Trust to NSS means that the cert validation ends at the trusted certificate - no other issuing certificates are searched.

In the above case, the CA is not trusted, so the NSS cert validation algorithm has to keep looking for certs until it finds a trusted one - or not, and it must verify the larger chain that includes all the certs up to a trust anchor. But there are also many things other than trust/lack of trust that can prematurely abort the cert validation - for example constraints, key usage / extended key usage extension values in the issuing certs. All that you really have is a trust anchor that may be part of the same chain as your CA cert, which means there is a possibility that some certs from that CA may be validated.

Showing a tree of trust would be useful, but this only makes sense in the context of a given cert chain, not in the context of the trust properties of an isolated CA cert. Without a cert chain, there will be no trusted cert to get trust bits from, since the particular CA is untrusted.

One must consider that cert chains are not static, and even for a unique CA cert, there can be several chains to be considered.

A CA cert can have multiple issuer certs that match it, the most common case being if the issuing cert is renewed with a different date. But other cert attribute may change too in the renewed cert, such as constraints or key usage extensions.

The current cert validation in NSS always chains a cert to the newest issuer cert, even though that may not have trust set, for example because that second issuer cert came over SSL or in an S/MIME message. Lack of trust may in turn cause cert validation to fail.

Since the certs from the peer may be only temporary decoded and destroyed by the application during the processing of the SSL connection or S/MIME message, there would be no opportunity for a mozilla browser user to see in the GUI that any of this happened - the second issuer cert wouldn't show at the time the user clicks. So, this type of UI may create as many problems as it will resolve.

The right place to deal with this type of problem is when the application encounters a cert chain it can't verify. Then it can display the whole cert chain, including any trust properties - but we already know implicitly that any cert part of the invalid chain isn't trusted for the purpose being tested, or the validation would have succeeded.

Note that in the near future, NSS will be able to explore many more cert trees, and will not always select the newest cert as the issuing cert anymore. If the cert validation with the newest cert fails, other cert trees will be explored. This means there may be several chains considered during the validation - each with cert containing different trust. That makes the validation algorithm much more forgiving, but it also outlines the need for selecting a cert chain to use to get original trust from.
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto

Reply via email to