Verification of eMail-CA's certificate fails "for unknown reasons"




Security: PSM
14 years ago
2 years ago


(Reporter: Felix Tiede, Unassigned)


(Depends on: 1 bug)

Other Branch
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)


(Whiteboard: [kerh-coz][psm-feedback])


(2 attachments)



14 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041003 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041003 Firefox/0.10.1

A certificate of an eMail-only CA (nsCertType set to "emailCA") or an
object-signing-only CA (nsCertType set to "objCA") can not be verified by the
certificate manager.
When using eMail-certificates issued by such a CA they can not be verified even
if the CA's issuer is in the store of Certification Authorities in the
certificate manager. The only way to make them available is to set their
trust-level manually or to import the certificate of the CA which can not be
verified and set its trust-level manually.

Reproducible: Always
Steps to Reproduce:
1. Create a CA's certificate signing request.
2. Sign this request with a CA's certificate, making sure, that the property
"nsCertType" does not include "sslCA".
3. Import the issuing CA's certificate.
4. Import the just created certificate.

Actual Results:  
The "General"-tab of the certificate display states
"Could not verify this certificate for unknown reasons"

Expected Results:  
The "General"-tab of the certificate display should state
"This certificate has been verified for the following uses:
xxx Certificate Authority", where "xxx" might be something like "eMail" or "Object".

The bug can be seen in Firefox 1.0PR and Thunderbird 0.8.
I've first discovered this bug under Linux, but it also applies to at least

Comment 1

14 years ago
Created attachment 163230 [details]
My personal root CA certificate

This is the certificate against which the following certificate should be

Comment 2

14 years ago
Created attachment 163231 [details]
My personal eMail CA certificate

This is the certificate which should be automatically verified by the
certificate manager and to which the bug report applies.


14 years ago
Component: Security: S/MIME → Security: S/MIME
Product: PSM → Core
This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:

Comment 4

13 years ago
bug is still existent in Thunderbird 1.0.6 (20050823).


13 years ago
Whiteboard: [kerh-coz]
This is a bug in PSM (the cert manager).  
It reports that the cert cannot be verified, when that may not be true.
And it fails to report what problem it thinks it found.  

I suspect this is a duplicate of bug 289988.
That is, I think this bug, and bug 289988 have the same cause, even if 
the certs involved were issued by different CAs.  In both cases, the 
problem is PSM's cert validation.  
Component: Security: S/MIME → Security: PSM
QA Contact: psm
Ever confirmed: true
Attachment #163230 - Attachment mime type: text/plain → application/x-x509-ca-cert
Attachment #163231 - Attachment mime type: text/plain → application/x-x509-email-cert
This bug is superficially a duplicate of bug 91403, but this bug is about
Thunderbird and email certs, while bug 91403 is about browsers.  
So I'm not marking this as a dupl  But feel free to do so if you think 
that both issues will be resolved by the same patch.


8 years ago
Assignee: kaie → nobody
Depends on: 91403
Whiteboard: [kerh-coz] → [kerh-coz][psm-feedback]
nsCertType isn't supported.
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.