Re: VeriSign Class 3 Secure Server CA?
Mele wrote: The microsoft.ipsos.com is on rackspace.com which is another Microsoft partner. Firefox should not bork at this Microsoft partner site. The certs are at the site and IE has no problem getting them. Well...First, this kind of domain name is unfortunate and one can't blame the user for not getting used to all kinds of microsoft.something.com URLs... Second, Firefox barks at any web site, which doesn't have the certificate installed correctly. This has nothing to do with Microsoft partners per se... It is one of the weak spots in Fx and I'm tired of the problems. It's currently not a weak spot of Firefox...but I asked Nelson for the RFC which suggests that one /can/ fetch intermediate CA certificates the way IE does. If there is such a standard which suggests it as an option, than I think Mozilla should implement it You just blamed the server at the Ipsos site. Correct, the installation is not complete at that site! Maybe the blame is on a misconfigured server Yes, it is! It is not configured and installed correctly! This *is* the problem... If you install a web page wrongfully on your web server and the page doesn't render, who do you have to blame? The browser? Of course not...so in this case, this is a problem of the server admin as well... but finger pointing doesn't get the problem solved. You did not offer one constructive idea of how to fix this sort of problem that Fx has, but IE doesn't, other than complain to the webmaster or better just go use IE. I'd rather suggest *not* to visit that site and *not* participate in any survey until the problem is fixed! Obviously this site doesn't really give you a good feeling...judging from the URL, certificate installation etcI wouldn't provide any data...But perhaps this is what it's all about? Maybe they don't want non-microsoft - non-IE users to participate? ;-) -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Eddy Nigg (StartCom Ltd.) [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Mele wrote: The microsoft.ipsos.com is on rackspace.com which is another Microsoft partner. Firefox should not bork at this Microsoft partner site. The certs are at the site and IE has no problem getting them. Well...First, this kind of domain name is unfortunate and one can't blame the user for not getting used to all kinds of microsoft.something.com URLs... Second, Firefox barks at any web site, which doesn't have the certificate installed correctly. This has nothing to do with Microsoft partners per se... It is one of the weak spots in Fx and I'm tired of the problems. It's currently not a weak spot of Firefox...but I asked Nelson for the RFC which suggests that one /can/ fetch intermediate CA certificates the way IE does. If there is such a standard which suggests it as an option, than I think Mozilla should implement it You just blamed the server at the Ipsos site. Correct, the installation is not complete at that site! Maybe the blame is on a misconfigured server Yes, it is! It is not configured and installed correctly! This *is* the problem... If you install a web page wrongfully on your web server and the page doesn't render, who do you have to blame? The browser? Of course not...so in this case, this is a problem of the server admin as well... but finger pointing doesn't get the problem solved. You did not offer one constructive idea of how to fix this sort of problem that Fx has, but IE doesn't, other than complain to the webmaster or better just go use IE. I'd rather suggest *not* to visit that site and *not* participate in any survey until the problem is fixed! Obviously this site doesn't really give you a good feeling...judging from the URL, certificate installation etcI wouldn't provide any data...But perhaps this is what it's all about? Maybe they don't want non-microsoft - non-IE users to participate? ;-) -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 Oh, I just went to the site on IE and did the survey on IE. I have done these surveys before but quite awhile since one from this Microsoft partner. I just went to the http://www.microsoft.com/mscorp/marketing_research/ site again a couple of hours ago and up popped a request for me to do another survey! I was supposed to surf about and then come back and do the survey. Fx didn't bork on this...but this survey by CmScore is not https because the answers are anon. The earlier survey asks permission to link my answers to my Microsoft Profile so I can be contacted for further explanation of my answers especially the last one where I type several paragraphs about what is the one thing Microsoft can do to gain better customer trust and satisfaction. The thing is having to do it on IE was a bummer because the same thing happened that happened once before using IE for one of these surveys. I took considerable pains at the end to type about six paragraphs regarding what one thing Microsoft can do to improve customer satisfaction and trust. I went to submit the survey and got a error saying it had timed out. I tried to go back to the previous page where those six paragraphs were and couldn't. I was mad! So, I didn't submit the survey and I wrote the email address we were given if we had questions or problems. The irony here is that if I had just accepted the cert on Fx and done the survey on Fx, I am almost certain that if I got a time out at the end that I could have gone back to the previous page where those six paragraphs were and saved all the answers (the survey is so long that you are periodically offered the chance to save your answers and finish it another time) and then later come back and submitted. IE has a flaw in this regard that Fx doesn't. I certainly agree that, if possible, Fx should fetch those intermediate CA certs like IE does. This not the first time I have encountered a problem like this with Fx and I have asked earlier for some resolution besides contacting the naughty webmaster who didn't read the Verisign emails and thus doesn't have his server properly configured. I, the end user, should not need to do that or to scratch my head and wonder if I should accept the cert for this time only, etc. What's different about 1.0? Someone I know fairly well stated that he had no problems with Fx 1.0 at the site. ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Eddy Nigg (StartCom Ltd.) wrote: Nelson Bolyard wrote: Yes, there is a standard for certs that allows (but does not require) relying parties to go search on the internet for missing intermediate CA certs. Do you have the quote from the corresponding RFC for this? It's RFC 3280 section 4.2.2.1, Authority Information Access Too big to quote here. But that standard does NOT relieve SSL servers of the obligation to send their entire server cert chains Correct. Later, Eddy wrote: If there is such a standard which suggests it as an option, than I think Mozilla should implement it We're working on it. Now up to 60,000 lines of new code for it, and still growing. This feature is actually necessary in bridge CA (a.k.a. Cross certified CA infrastructures, which are now beginning to emerge, mostly in Asia. Earlier, Eddy wrote: At our CA, we have a robot checking for missing ICA certificatesand send an appropriate message to the subscriber... And by the subscriber, Eddy means the web site administrator who acquired the cert for his server. Eddy, that's brilliant. It's a service that adds tremendous value for your subscribers and all their users/customers. I wish more CAs did that. ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Throughout the lifetime of mozilla browsers, there have been innumerable web sites that worked with IE but not mozilla, because those web sites' content depended on IE behavior, and were not testing with any browser other than IE. Countless users have whined to mozilla with messages saying (in effect) your browser sucks because it isn't just like IE. Mozilla's answer has generally been this: Mozilla products work with all web sites that conform to the relevant standards. This thread is no different in any respect. There are some people for whom the best answer is use IE. Those are people who insist that any product that doesn't render their favorite web site as well as IE is therefore inferior to IE. Those people will never be satisfied with anything but IE, and they should stop whining and use IE. People who say they really prefer mozilla browsers, but can't or won't use them because things are rendered differently than IE, are merely advocates for IE, trying to disguise their advocacy. To such writers, I say, If you want IE's behavior rather than standards-based behavior, you can get it all you want, by using IE. Please do. You won't make any friends here by continuing to belittle mozilla browsers for not being IE. ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Nelson Bolyard wrote: We're working on it. Now up to 60,000 lines of new code for it, and still growing. This feature is actually necessary in bridge CA (a.k.a. Cross certified CA infrastructures, which are now beginning to emerge, mostly in Asia. Cool! So I guess this issue gets addressed now anyway... Earlier, Eddy wrote: At our CA, we have a robot checking for missing ICA certificatesand send an appropriate message to the subscriber... And by the subscriber, Eddy means the web site administrator who acquired the cert for his server. Eddy, that's brilliant. It's a service that adds tremendous value for your subscribers and all their users/customers. I wish more CAs did that. Thank you for the flowers :-) -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Nelson Bolyard [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Throughout the lifetime of mozilla browsers, there have been innumerable web sites that worked with IE but not mozilla, because those web sites' content depended on IE behavior, and were not testing with any browser other than IE. Countless users have whined to mozilla with messages saying (in effect) your browser sucks because it isn't just like IE. Mozilla's answer has generally been this: Mozilla products work with all web sites that conform to the relevant standards. This thread is no different in any respect. There are some people for whom the best answer is use IE. Those are people who insist that any product that doesn't render their favorite web site as well as IE is therefore inferior to IE. Those people will never be satisfied with anything but IE, and they should stop whining and use IE. People who say they really prefer mozilla browsers, but can't or won't use them because things are rendered differently than IE, are merely advocates for IE, trying to disguise their advocacy. To such writers, I say, If you want IE's behavior rather than standards-based behavior, you can get it all you want, by using IE. Please do. You won't make any friends here by continuing to belittle mozilla browsers for not being IE. I have not whined about Firefox, SeaMonkey not being just like IE. If I wanted a browser that was just like IE then I would use it. Why would I be here trying to get something that needs fixing in Firefox fixed if I liked IE? I am trying to discuss a security issue that has nothing to do with how a page looks in Mozilla as opposed to IE. I'm a realist and a practical person. Mozilla developers appear sometimes to have their heads in the clouds. I don't know whether the webmaster of the site goofed or not since the relevant certs are there for IE to collect although evidently the webmaster didn't do any of this to standards...but quick and dirty so to speak or more specifically perhaps I should say that IE collects them in a quick and dirty manner not up to standards. I am asking why Mozilla expects its users to fix this problem themselves by contacting the webmaster of every page on the internet where the server is misconfigured because the webmaster didn't read his Verisign mail. And what is the individual to do while they wait for the webmaster to finally fix his server? You are being very impractical. I see Fx 2.0 as being dumbed down in some security/privacy areas (that is why I won't use it) and the reasons given for this is that Mozilla has to appeal to the unwashed masses who don't understand many things that were in versions up to 2.0 and thus removed, or made less secure/private in 2.0, or hidden from the GUI. So, using that reasoning why does Mozilla hide behind meeting standards as a reason to not fix this particular problem? Don't the unwashed masses that Mozilla wishes to appeal to deserve better? BTW, I have used Mozilla browsers as my default browser since the days of Phoenix and I resent your implying that I am some IE advocate in disguise. Also, for whatever it is worth, the best version of Fx was 0.8. Those were the heady days ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security