Re: VeriSign Class 3 Secure Server CA?
On Friday, 23 March 2007 14:34:58 UTC+5:30, Melelina wrote: Why is the VeriSign Class 3 Secure Server CA which can be downloaded here: http://SVRSecure-aia.verisign.com/SVRSecure2005-aia.cer not in the Fx certificate store? Should this not have been added in the latest update of Fx (1.5.0.11)? Also, why am I unable to edit the cert issued to http://www.microsoft.ipsos.com/ which I took from IE and put in the Fx Cert Manager? I want to trust this cert but when I use edit and click the trust button upon closing the Certificate Manager my edit is reversed and the do not trust button is chosen. Even after all this hassle, Fx will not open http://www.microsoft.ipsos.com/. I don't know if the Microsoft server is misconfigured or not but it shouldn't matter since I imported both Certs to the Fx Cert Manager except Fx won't let me change the trust on the Microsoft cert and perhaps if I could do that then Fx would open the site. ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Mele wrote: The microsoft.ipsos.com is on rackspace.com which is another Microsoft partner. Firefox should not bork at this Microsoft partner site. The certs are at the site and IE has no problem getting them. Well...First, this kind of domain name is unfortunate and one can't blame the user for not getting used to all kinds of microsoft.something.com URLs... Second, Firefox barks at any web site, which doesn't have the certificate installed correctly. This has nothing to do with Microsoft partners per se... It is one of the weak spots in Fx and I'm tired of the problems. It's currently not a weak spot of Firefox...but I asked Nelson for the RFC which suggests that one /can/ fetch intermediate CA certificates the way IE does. If there is such a standard which suggests it as an option, than I think Mozilla should implement it You just blamed the server at the Ipsos site. Correct, the installation is not complete at that site! Maybe the blame is on a misconfigured server Yes, it is! It is not configured and installed correctly! This *is* the problem... If you install a web page wrongfully on your web server and the page doesn't render, who do you have to blame? The browser? Of course not...so in this case, this is a problem of the server admin as well... but finger pointing doesn't get the problem solved. You did not offer one constructive idea of how to fix this sort of problem that Fx has, but IE doesn't, other than complain to the webmaster or better just go use IE. I'd rather suggest *not* to visit that site and *not* participate in any survey until the problem is fixed! Obviously this site doesn't really give you a good feeling...judging from the URL, certificate installation etcI wouldn't provide any data...But perhaps this is what it's all about? Maybe they don't want non-microsoft - non-IE users to participate? ;-) -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Eddy Nigg (StartCom Ltd.) [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Mele wrote: The microsoft.ipsos.com is on rackspace.com which is another Microsoft partner. Firefox should not bork at this Microsoft partner site. The certs are at the site and IE has no problem getting them. Well...First, this kind of domain name is unfortunate and one can't blame the user for not getting used to all kinds of microsoft.something.com URLs... Second, Firefox barks at any web site, which doesn't have the certificate installed correctly. This has nothing to do with Microsoft partners per se... It is one of the weak spots in Fx and I'm tired of the problems. It's currently not a weak spot of Firefox...but I asked Nelson for the RFC which suggests that one /can/ fetch intermediate CA certificates the way IE does. If there is such a standard which suggests it as an option, than I think Mozilla should implement it You just blamed the server at the Ipsos site. Correct, the installation is not complete at that site! Maybe the blame is on a misconfigured server Yes, it is! It is not configured and installed correctly! This *is* the problem... If you install a web page wrongfully on your web server and the page doesn't render, who do you have to blame? The browser? Of course not...so in this case, this is a problem of the server admin as well... but finger pointing doesn't get the problem solved. You did not offer one constructive idea of how to fix this sort of problem that Fx has, but IE doesn't, other than complain to the webmaster or better just go use IE. I'd rather suggest *not* to visit that site and *not* participate in any survey until the problem is fixed! Obviously this site doesn't really give you a good feeling...judging from the URL, certificate installation etcI wouldn't provide any data...But perhaps this is what it's all about? Maybe they don't want non-microsoft - non-IE users to participate? ;-) -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 Oh, I just went to the site on IE and did the survey on IE. I have done these surveys before but quite awhile since one from this Microsoft partner. I just went to the http://www.microsoft.com/mscorp/marketing_research/ site again a couple of hours ago and up popped a request for me to do another survey! I was supposed to surf about and then come back and do the survey. Fx didn't bork on this...but this survey by CmScore is not https because the answers are anon. The earlier survey asks permission to link my answers to my Microsoft Profile so I can be contacted for further explanation of my answers especially the last one where I type several paragraphs about what is the one thing Microsoft can do to gain better customer trust and satisfaction. The thing is having to do it on IE was a bummer because the same thing happened that happened once before using IE for one of these surveys. I took considerable pains at the end to type about six paragraphs regarding what one thing Microsoft can do to improve customer satisfaction and trust. I went to submit the survey and got a error saying it had timed out. I tried to go back to the previous page where those six paragraphs were and couldn't. I was mad! So, I didn't submit the survey and I wrote the email address we were given if we had questions or problems. The irony here is that if I had just accepted the cert on Fx and done the survey on Fx, I am almost certain that if I got a time out at the end that I could have gone back to the previous page where those six paragraphs were and saved all the answers (the survey is so long that you are periodically offered the chance to save your answers and finish it another time) and then later come back and submitted. IE has a flaw in this regard that Fx doesn't. I certainly agree that, if possible, Fx should fetch those intermediate CA certs like IE does. This not the first time I have encountered a problem like this with Fx and I have asked earlier for some resolution besides contacting the naughty webmaster who didn't read the Verisign emails and thus doesn't have his server properly configured. I, the end user, should not need to do that or to scratch my head and wonder if I should accept the cert for this time only, etc. What's different about 1.0? Someone I know fairly well stated that he had no problems with Fx 1.0 at the site. ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Eddy Nigg (StartCom Ltd.) wrote: Nelson Bolyard wrote: Yes, there is a standard for certs that allows (but does not require) relying parties to go search on the internet for missing intermediate CA certs. Do you have the quote from the corresponding RFC for this? It's RFC 3280 section 4.2.2.1, Authority Information Access Too big to quote here. But that standard does NOT relieve SSL servers of the obligation to send their entire server cert chains Correct. Later, Eddy wrote: If there is such a standard which suggests it as an option, than I think Mozilla should implement it We're working on it. Now up to 60,000 lines of new code for it, and still growing. This feature is actually necessary in bridge CA (a.k.a. Cross certified CA infrastructures, which are now beginning to emerge, mostly in Asia. Earlier, Eddy wrote: At our CA, we have a robot checking for missing ICA certificatesand send an appropriate message to the subscriber... And by the subscriber, Eddy means the web site administrator who acquired the cert for his server. Eddy, that's brilliant. It's a service that adds tremendous value for your subscribers and all their users/customers. I wish more CAs did that. ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Throughout the lifetime of mozilla browsers, there have been innumerable web sites that worked with IE but not mozilla, because those web sites' content depended on IE behavior, and were not testing with any browser other than IE. Countless users have whined to mozilla with messages saying (in effect) your browser sucks because it isn't just like IE. Mozilla's answer has generally been this: Mozilla products work with all web sites that conform to the relevant standards. This thread is no different in any respect. There are some people for whom the best answer is use IE. Those are people who insist that any product that doesn't render their favorite web site as well as IE is therefore inferior to IE. Those people will never be satisfied with anything but IE, and they should stop whining and use IE. People who say they really prefer mozilla browsers, but can't or won't use them because things are rendered differently than IE, are merely advocates for IE, trying to disguise their advocacy. To such writers, I say, If you want IE's behavior rather than standards-based behavior, you can get it all you want, by using IE. Please do. You won't make any friends here by continuing to belittle mozilla browsers for not being IE. ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Nelson Bolyard wrote: We're working on it. Now up to 60,000 lines of new code for it, and still growing. This feature is actually necessary in bridge CA (a.k.a. Cross certified CA infrastructures, which are now beginning to emerge, mostly in Asia. Cool! So I guess this issue gets addressed now anyway... Earlier, Eddy wrote: At our CA, we have a robot checking for missing ICA certificatesand send an appropriate message to the subscriber... And by the subscriber, Eddy means the web site administrator who acquired the cert for his server. Eddy, that's brilliant. It's a service that adds tremendous value for your subscribers and all their users/customers. I wish more CAs did that. Thank you for the flowers :-) -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Nelson Bolyard [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Throughout the lifetime of mozilla browsers, there have been innumerable web sites that worked with IE but not mozilla, because those web sites' content depended on IE behavior, and were not testing with any browser other than IE. Countless users have whined to mozilla with messages saying (in effect) your browser sucks because it isn't just like IE. Mozilla's answer has generally been this: Mozilla products work with all web sites that conform to the relevant standards. This thread is no different in any respect. There are some people for whom the best answer is use IE. Those are people who insist that any product that doesn't render their favorite web site as well as IE is therefore inferior to IE. Those people will never be satisfied with anything but IE, and they should stop whining and use IE. People who say they really prefer mozilla browsers, but can't or won't use them because things are rendered differently than IE, are merely advocates for IE, trying to disguise their advocacy. To such writers, I say, If you want IE's behavior rather than standards-based behavior, you can get it all you want, by using IE. Please do. You won't make any friends here by continuing to belittle mozilla browsers for not being IE. I have not whined about Firefox, SeaMonkey not being just like IE. If I wanted a browser that was just like IE then I would use it. Why would I be here trying to get something that needs fixing in Firefox fixed if I liked IE? I am trying to discuss a security issue that has nothing to do with how a page looks in Mozilla as opposed to IE. I'm a realist and a practical person. Mozilla developers appear sometimes to have their heads in the clouds. I don't know whether the webmaster of the site goofed or not since the relevant certs are there for IE to collect although evidently the webmaster didn't do any of this to standards...but quick and dirty so to speak or more specifically perhaps I should say that IE collects them in a quick and dirty manner not up to standards. I am asking why Mozilla expects its users to fix this problem themselves by contacting the webmaster of every page on the internet where the server is misconfigured because the webmaster didn't read his Verisign mail. And what is the individual to do while they wait for the webmaster to finally fix his server? You are being very impractical. I see Fx 2.0 as being dumbed down in some security/privacy areas (that is why I won't use it) and the reasons given for this is that Mozilla has to appeal to the unwashed masses who don't understand many things that were in versions up to 2.0 and thus removed, or made less secure/private in 2.0, or hidden from the GUI. So, using that reasoning why does Mozilla hide behind meeting standards as a reason to not fix this particular problem? Don't the unwashed masses that Mozilla wishes to appeal to deserve better? BTW, I have used Mozilla browsers as my default browser since the days of Phoenix and I resent your implying that I am some IE advocate in disguise. Also, for whatever it is worth, the best version of Fx was 0.8. Those were the heady days ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Melelina wrote: Also, why am I unable to edit the cert issued to http://www.microsoft.ipsos.com/ which I took from IE and put in the Fx Cert Manager? I want to trust this cert but when I use edit and click the trust button upon closing the Certificate Manager my edit is reversed and the do not trust button is chosen. How good that this certificate isn't trusted...which CA issues such a certificatewww.microsoft.ipsos.com? I guess that the signer is a fake Verisign certificate -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Melelina wrote: I don't have a server. I am a user who got an email from Microsoft asking me to participate in a global survey of Microsoft's customer service. Then you should reply and tell them their site is misconfigured, and that it throws up security warnings, and they should fix it. You can even tell them how to, as we've explained it in this thread. There is no dialog when I try to visit the site that would allow me to Accept this certificate permanently . That's strange - I get one. As for root certs...Verisign has stopped that. They are no more. Verisign certs are NO LONGER signed by a root authority. They have switched to an intermediate authority only. They have spent two years switching and just finished this month...hence all the problems because Fx hasn't kept up! The way it works is that certificates are in a chain. It used to be a chain of only two - the website cert - the root cert. Verisign, for very good reasons, has switched to a chain of three - website cert - intermediate cert - root cert. And it's the webserver's responsibility to provide all the certs in the chain except the root. So the webserver certs are still signed by a root authority, indirectly. If they were not in a chain of trust linking to a root, then no browser would trust them. already had. Explain to me how Fx is going to handle Verisign 2 step certs if it won't keep the intermediate cert in the store? See above. I don't care if Microsoft has a misconfigured server and I don't really think that is the problem. I simply want Fx to accept the cert which it should be doing. No, it shouldn't. I can create a cert which claims to be a VeriSign Class 3 Secure Server CA and sign my webserver's cert with it. If you then visit my website, you'll get exactly the same error as you see at the ipsos.com site. The ipsos one is genuine and my one isn't - but there's no way Firefox can tell that without a copy of the intermediate cert. Gerv ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Eddy Nigg (StartCom Ltd.) [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Melelina wrote: Also, why am I unable to edit the cert issued to http://www.microsoft.ipsos.com/ which I took from IE and put in the Fx Cert Manager? I want to trust this cert but when I use edit and click the trust button upon closing the Certificate Manager my edit is reversed and the do not trust button is chosen. How good that this certificate isn't trusted...which CA issues such a certificatewww.microsoft.ipsos.com? I guess that the signer is a fake Verisign certificate -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 No, it is not fake. The cert is issued to www.microsoft.ipsos.com by Verisign. Fx borks at this and says Verisign is an untrusted issuer because it doesn't have the NEW Verisign cert in the store. The new Verisign cert is an INTERMEDIATE cert and it matters not the slightest that Fx traditionally has not stored intermediate certs. It has to now and why isn't it? Verisign no longer uses the old fashioned Root certs. They have slowly switched over the past two years to a two step intermediate certifIcation. Granted, Microsoft evidently hasn't properly configured their server and the certs are not being sent correctly. But, since I went and downloaded the Verisign intermediate cert and placed it in the Fx Cert Manager and then exported the cert issued by Verisign to www.microsoft.ipso.com to my desktop and then imported it to the Cert Manager for Fx, I should not be having Fx refuse to connect to the site. Maybe I put the microsoft cert in the wrong section of the Certificate Manager and that might be why I can't edit it. I put it under the Web tab. It may better be under other people's. I think the problem with the editing might be that there is no ok button on the edit popup and the popup extends beyond the width of my screen so it is hard to even close the edit popup. I'm on my old 98SE machine as my XP Pro one year old machine is awaiting a second replacement mobo (first was doa) and it won't boot but I think there is an ok button on that edit screen and it is not showing up on 98SE. I had to end up using IE and going to the site and then the survey took about 20 minutes (I've done these many times for Microsoft) and because I was on IE, not Fx, at the end of the survey where you are invited to tell in your own words (as many words as you want) the most important things Microsoft can do to gain customer trust and approval, after writing about six paragraphs, I went to submit the survey (it is personalized based on your initial and later answers and is a cool survey) and got an error that the session had timed out. That has never happened on Fx but I recalled later that it happened the other time I used IE because of concern with Fx not accepting the cert and that was about a year ago. I want to use Fx at Microsoft sites and I am very tired of Fx problems with Microsoft certs and now there is the problem of Fx not having the new Verisign intermediate cert and it wanting to rely on root certs that are no longer used by Verisign. At least this is what I understand the situation to be from threads at Mozillazine and dslreports security forum, etc. If this is not the case please enlighten me. ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Gervase Markham wrote: IE will also have a similar problem, but only if it has never encountered a correctly-configured web server (i.e. it caches intermediate certs). So IE in new installs of Windows will also have the problem. This is not correct! IE fetches the intermediate CA if it finds a CA issuer extension within the subscriber certificate, which isn't really by any RFC, but nevertheless very useful! Many server installations are missing the intermediate CA files and IE gets around this problem in this way...Something to consider for Mozilla Firefox? At our CA, we have a robot checking for missing ICA certificatesand send an appropriate message to the subscriber... -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Eddy Nigg (StartCom Ltd.) [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Gervase Markham wrote: IE will also have a similar problem, but only if it has never encountered a correctly-configured web server (i.e. it caches intermediate certs). So IE in new installs of Windows will also have the problem. This is not correct! IE fetches the intermediate CA if it finds a CA issuer extension within the subscriber certificate, which isn't really by any RFC, but nevertheless very useful! Many server installations are missing the intermediate CA files and IE gets around this problem in this way...Something to consider for Mozilla Firefox? At our CA, we have a robot checking for missing ICA certificatesand send an appropriate message to the subscriber... Ah! A voice of sanity. Of course, Fx should have some method of obtaining these intermediate certs so that the user doesn't have to go look for them themselves as I have done! Microsoft and other sites are not going to fix their servers that quickly...if ever and Fx should have a way to work around that instead of haughtily insisting that standards aren't being met and that the poor user should just contact the website with the misconfigured server and complain. That is not realistic to ask that of the average Fx user. What the reality is currently is that Fx refusing to figure out a way, as IE has, to get these intermediate certs installed when servers are misconfigured is that Fx is encouraging the user to just ignore any popup warnings about the certs and to just click to accept any and all. It makes for a jaded user and invites security problems. In respect to how certs are handled, much as i love Fx, I think IE is superior in this regard. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
I can create a cert which claims to be a VeriSign Class 3 Secure Server CA and sign my webserver's cert with it. If you then visit my website, you'll get exactly the same error as you see at the ipsos.com site. Which however means, that your certificate installation isn't complete and should add the intermediate CA certificate to your server...Which server software are you using? -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Melelina wrote: The cert is issued to www.microsoft.ipsos.com by Verisign. Or it appears to be. I want to use Fx at Microsoft sites and I am very tired of Fx problems with Microsoft certs But you haven't yet shown any evidence of FF having a problem with a Microsoft site. The site you cited is NOT a Microsoft site. The cert for that server claims to have been issued to: O = IPSOS-REID Corporation L = Winnipeg ST = Manitoba C = US (Heh, I guess the US must have annexed Manitoba when I wasn't looking. :) If you DO have troubles with real Microsoft web sites, you can let me know. I have contacts among Microsoft web site admins, and when I report a problem with their servers, they often (not always) get fixed. They always reply, somewhat red faced, that they only tested with IE. I have no contacts in Manitoba. and now there is the problem of Fx not having the new Verisign intermediate cert Verisign's class 3 intermediate CA cert is not new. It was issued on April 16, 1997, 10 years ago (next month). It has been continuously in use by thousands of web sites all that time, with NO difficulty by mozilla browsers. Recently, Verisign discontinued issuing certs from their older RSA security root. Their customers (web site administrators) had been using server certs issued from the old RSA Security root for years, and had never in their lives ever installed an intermediate CA cert into their servers. Then, when they applied for renewed certs, they got certs issued by Verisign's class 3 intermediate CA. Verisign's web site explained to its subscribers the need to install the Intermediate CA cert into their servers. http://www.verisign.com/support/advisories/page_029264.html http://www.verisign.com/support/advisories/page_040601.html http://www.verisign.com/support/advisories/page_040611.html even in other languages (such as Japanese, here translated into English): http://babelfish.altavista.com/babelfish/trurl_pagecontent?lp=ja_enurl=http%3A%2F%2Fwww.verisign.co.jp%2Fserver%2Fabout%2F2006rollover%2Fssid%2Findex.html But many Verisign customers took no notice of those instructions. So, those web sites, operated by people who didn't read the notices, now have problems. The fault isn't FireFox's, nor Verisign's. and it wanting to rely on root certs that are no longer used by Verisign. Wrong, on several counts. 1. Verisign's old RSA Security Secure Server authority cert doesn't expire until 2010. Until then, server certs issued by that CA will continue to validate against that root CA cert. 2. ALL certs are verified by following a chain (or path) of CA certs, beginning with the issuer of the server cert, then the issuer of that cert, and so on, until we come to a root CA cert (which is its own issuer). If the chain is incomplete, so that we cannot follow it all the way to the root, then the server cert cannot be verified. Servers that send out incomplete cert chains are violating the standards for SSL 3.0 and/or TLS (SSL 3.1), which require servers to send out their entire cert chains, up to (but not including) the root CA. An SSL server that doesn't send its intermediate CA certs is simply non-conformant and mis-configured. RFC 2246, the standard definition of TLS (SSL 3.1) says: certificate_list This is a sequence (chain) of X.509v3 certificates. The sender's certificate must come first in the list. Each following certificate must directly certify the one preceding it. Because certificate validation requires that root keys be distributed independently, the self-signed certificate which specifies the root certificate authority may optionally be omitted from the chain, under the assumption that the remote end must already possess it in order to validate it in any case. Yes, there is a standard for certs that allows (but does not require) relying parties to go search on the internet for missing intermediate CA certs. But that standard does NOT relieve SSL servers of the obligation to send their entire server cert chains (minus the root CA cert, which is optional). At least this is what I understand the situation to be from threads at Mozillazine and dslreports security forum, etc. If this is not the case please enlighten me. Ah yes, those fonts of indisputable truth. :) The problems need to be fixed where they exist, in the misconfigured servers. Of course, it's easier to complain to mozilla, where in many cases you're more likely to get a reply, but the problem will be fixed when a sysadmin in Winnipeg fixes his server configuration. Maybe you can help him/her hasten that day. /Nelson B (mozilla SSL developer, IETF TLS member, co-author RFC 4492) ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
I'm replying now to my own mail, as I misunderstood the statement from you...Of course this is not the correct answer to what you said Eddy Nigg (StartCom Ltd.) wrote: I can create a cert which claims to be a VeriSign Class 3 Secure Server CA and sign my webserver's cert with it. If you then visit my website, you'll get exactly the same error as you see at the ipsos.com site. Which however means, that your certificate installation isn't complete and should add the intermediate CA certificate to your server...Which server software are you using? -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
Re: VeriSign Class 3 Secure Server CA?
Hi Nelson, Nelson Bolyard wrote: Yes, there is a standard for certs that allows (but does not require) relying parties to go search on the internet for missing intermediate CA certs. Do you have the quote from the corresponding RFC for this? But that standard does NOT relieve SSL servers of the obligation to send their entire server cert chains Correct. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 ___ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security