I do have to point out, no CA pays Mozilla to be in Firefox's database. What the CA pays for is the auditing required to pass Mozilla's criteria for inclusion in the database.
That said, my personal opinion is that the CA model is broken from the start, and I am pushing for a way to opt out of Mozilla's root certificate distribution without having to individually remove trust from every CA in their database. -Kyle H On Fri, Jun 20, 2008 at 7:16 AM, Sendroiu Eugen <[EMAIL PROTECTED]> wrote: > As I said you usually can't. For instance Firefox has a database with > certificates from many trust anchors ( they pay to be in that database), > so when wants to validate a certificate it asks the db about it. If you have > an HTTPS server which has a self-signed certificate that isn't in Firefox's > db, than you will get an error that the certificate could not be validated. > > This is because you cannot access their online ldap's or X.500 stores of > certificates only if you are their client( i bought a certificate class 4, > for application signing and they gave me user/pass to their online > repository). Even then you might have restricted access and if you > want the CAs self-signed certificate( if CA is Verisign or other root CA ) > that cert you won't find in their repositories. > > I would be interested too to find a way to retrieve online certificates, but > I'm afraid > currently there isn't any. That's why Verisign wants to take over DNS, so > that they > can distribute certs at will - ISPs are too lasy to do that. > > Cheers, > Eugen. > > > ----- Original Message ---- > From: AlokBhatnagar <[EMAIL PROTECTED]> > To: openssl-users@openssl.org > Sent: Friday, June 20, 2008 4:49:55 PM > Subject: Re: Server Authentication > > Hello Sendroiu, > > Thats what i was asking.... > > How can i get the certificates of CAs i turst? > > Regards > > Alok Bhatnagar > > > > > > ----- Original Message ----- > From: Sendroiu Eugen > To: openssl-users@openssl.org > Sent: Friday, June 20, 2008 7:12 PM > Subject: Re: Server Authentication > From what I understand, you need the trust anchors certificate( eg Verisign > ) > so that you can check the server's certificate against the probably > self-signed > Verisign certificate. It is supposed that you have already have the > certificates of > CAs you trust. > If your question is how to find online a specific certificate, the simple > answer is that > you usually can't. > > ----- Original Message ---- > From: AlokBhatnagar <[EMAIL PROTECTED]> > To: openssl-users@openssl.org > Sent: Friday, June 20, 2008 4:02:15 PM > Subject: Re: Server Authentication > > Thanks david, > > I know that the domain name should be same as the common name in server > certificate which is sent by the server to the client. > > As I know, The SSL client verifies the server's certificate against the CA > certificate loaded in the client. > > Suppose i trust Verisign CA. So my client must have Verisign CA Certificate > in order to verify the server's certificate. > > So i want to ask, how will i get the CA certificate or list of CA > certificates that i trust? > > Thanks > > Regards > Alok Bhatnagar > > > ----- Original Message ----- > From: "David Schwartz" <[EMAIL PROTECTED]> > To: <openssl-users@openssl.org> > Sent: Friday, June 20, 2008 6:03 PM > Subject: RE: Server Authentication > > >> >> > So i want to know how will my client authenticate the server >> > since i don't have the server's root certificate? >> >> > Thanks in Advance.. >> >> > Regards >> > Alok Bhatnagar >> >> That is completely application-dependent. The answer will depend on what >> makes the legitimate server different from an imposter. >> >> Your question is basically, "how can I detect an impostor?". And the > answer >> is "as opposed to what?". For example, if the question is, "how can I tell >> the real amazon.com from an impostor who doesn't control that domain?" the >> answer is to see if the server presents a certificate with 'amazon.com' in >> the common name that is signed by a CA you trust. >> >> If you don't know what CAs you trust, then you have a problem. >> >> DS >> >> >> ______________________________________________________________________ >> OpenSSL Project http://www.openssl.org >> User Support Mailing List openssl-users@openssl.org >> Automated List Manager [EMAIL PROTECTED] >> >> > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
