User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041003 Firefox/0.10.1 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041003 Firefox/0.10.1 A certificate of an eMail-only CA (nsCertType set to "emailCA") or an object-signing-only CA (nsCertType set to "objCA") can not be verified by the certificate manager. When using eMail-certificates issued by such a CA they can not be verified even if the CA's issuer is in the store of Certification Authorities in the certificate manager. The only way to make them available is to set their trust-level manually or to import the certificate of the CA which can not be verified and set its trust-level manually. Reproducible: Always Steps to Reproduce: 1. Create a CA's certificate signing request. 2. Sign this request with a CA's certificate, making sure, that the property "nsCertType" does not include "sslCA". 3. Import the issuing CA's certificate. 4. Import the just created certificate. Actual Results: The "General"-tab of the certificate display states "Could not verify this certificate for unknown reasons" Expected Results: The "General"-tab of the certificate display should state "This certificate has been verified for the following uses: xxx Certificate Authority", where "xxx" might be something like "eMail" or "Object". The bug can be seen in Firefox 1.0PR and Thunderbird 0.8. I've first discovered this bug under Linux, but it also applies to at least WindowsXP.
Created attachment 163230 [details] My personal root CA certificate This is the certificate against which the following certificate should be verified.
Created attachment 163231 [details] My personal eMail CA certificate This is the certificate which should be automatically verified by the certificate manager and to which the bug report applies.
This is an automated message, with ID "auto-resolve01". This bug has had no comments for a long time. Statistically, we have found that bug reports that have not been confirmed by a second user after three months are highly unlikely to be the source of a fix to the code. While your input is very important to us, our resources are limited and so we are asking for your help in focussing our efforts. If you can still reproduce this problem in the latest version of the product (see below for how to obtain a copy) or, for feature requests, if it's not present in the latest version and you still believe we should implement it, please visit the URL of this bug (given at the top of this mail) and add a comment to that effect, giving more reproduction information if you have it. If it is not a problem any longer, you need take no action. If this bug is not changed in any way in the next two weeks, it will be automatically resolved. Thank you for your help in this matter. The latest beta releases can be obtained from: Firefox: http://www.mozilla.org/projects/firefox/ Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html Seamonkey: http://www.mozilla.org/projects/seamonkey/
bug is still existent in Thunderbird 1.0.6 (20050823).
This is a bug in PSM (the cert manager). It reports that the cert cannot be verified, when that may not be true. And it fails to report what problem it thinks it found. I suspect this is a duplicate of bug 289988. That is, I think this bug, and bug 289988 have the same cause, even if the certs involved were issued by different CAs. In both cases, the problem is PSM's cert validation.
Component: Security: S/MIME → Security: PSM
Status: UNCONFIRMED → NEW
Ever confirmed: true
Attachment #163230 - Attachment mime type: text/plain → application/x-x509-ca-cert
Attachment #163231 - Attachment mime type: text/plain → application/x-x509-email-cert
Assignee: kaie → nobody
Depends on: 91403
Whiteboard: [kerh-coz] → [kerh-coz][psm-feedback]
nsCertType isn't supported.
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.