Closed
Bug 373488
Opened 17 years ago
Closed 17 years ago
Add intermediate VeriSign certificate to built-in cert list
Categories
(CA Program :: CA Certificate Root Program, task)
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: jscher, Assigned: hecker)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2 VeriSign certificates issued under an intermediate authority are not trusted because they cannot be linked back to the public root. This probably is a web server configuration issue, but as a workaround and convenience to the user, and to prevent complaints about browser dysfunctionality, suggest included the intermediate certificate. See for more: http://forums.mozillazine.org/viewtopic.php?t=529009#2789580 Reproducible: Always Steps to Reproduce: 1. Navigate to URL Actual Results: Firefox displays dialog prompting user to decide whether to accept the certificate.
Comment 1•17 years ago
|
||
It is not "probably" a server configuration issue, it is *ABSOLUTELY* a server configuration issue. The standards for TLS and SSL3 all make it absolutely clear that the server must send its ENTIRE cert chain (with or without the root CA cert itself). Unfortunately, mozilla's UI for reporting these errors practically BEGS mozilla users to report these problems with misconfigured servers to mozilla, as if they were mozilla bugs. That will change in FF3.
Comment 2•17 years ago
|
||
Nelson is right. I believe earlier bugs on similar issues with different sites have been resolved as WONTFIX. IE does some magic to work around the problem here, and so IE users sometimes don't see it. But I seem to remember that when some Microsoft servers were misconfigured in exactly this way, even they were happy to fix them. Gerv
Comment 3•17 years ago
|
||
We believe that IE routinely keeps a copy of every intermediate CA cert that it sees (that it can validate). Long ago, we decided not to do that, although I don't remember all the reasons why we did that. PSM could elect to do that.
Summary: Some servers not sending intermediate VeriSign certificate, breaking the chain of trust. Should we pre-trust it? → Add intermediate VeriSign certificate to built-in cert list
Comment 4•17 years ago
|
||
This is pretty rare. We aren't going to implement a feature like this, with our stretched resources, just to save one site admin the hassle of complying with standards. Gerv
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Updated•7 years ago
|
Product: mozilla.org → NSS
Updated•2 years ago
|
Product: NSS → CA Program
You need to log in
before you can comment on or make changes to this bug.
Description
•