Closed Bug 373488 Opened 17 years ago Closed 17 years ago

Add intermediate VeriSign certificate to built-in cert list

Categories

(CA Program :: CA Certificate Root Program, task)

Product:
CA Program
Component:
CA Certificate Root Program
Platform:
x86
Windows XP
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: jscher, Assigned: hecker)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.2) Gecko/20070219 Firefox/2.0.0.2

VeriSign certificates issued under an intermediate authority are not trusted because they cannot be linked back to the public root. This probably is a web server configuration issue, but as a workaround and convenience to the user, and to prevent complaints about browser dysfunctionality, suggest included the intermediate certificate. See for more: http://forums.mozillazine.org/viewtopic.php?t=529009#2789580

Reproducible: Always

Steps to Reproduce:
1. Navigate to URL

Actual Results:  
Firefox displays dialog prompting user to decide whether to accept the certificate.
It is not "probably" a server configuration issue, it is *ABSOLUTELY* a 
server configuration issue.  The standards for TLS and SSL3 all make 
it absolutely clear that the server must send its ENTIRE cert chain
(with or without the root CA cert itself).  

Unfortunately, mozilla's UI for reporting these errors practically BEGS
mozilla users to report these problems with misconfigured servers to 
mozilla, as if they were mozilla bugs.  That will change in FF3.
Nelson is right. I believe earlier bugs on similar issues with different sites have been resolved as WONTFIX. IE does some magic to work around the problem here, and so IE users sometimes don't see it. But I seem to remember that when some Microsoft servers were misconfigured in exactly this way, even they were happy to fix them.

Gerv
We believe that IE routinely keeps a copy of every intermediate CA cert that it sees (that it can validate).   Long ago, we decided not to do that, although I don't remember all the reasons why we did that.  PSM could elect to do that.
Summary: Some servers not sending intermediate VeriSign certificate, breaking the chain of trust. Should we pre-trust it? → Add intermediate VeriSign certificate to built-in cert list
This is pretty rare. We aren't going to implement a feature like this, with our stretched resources, just to save one site admin the hassle of complying with standards.

Gerv
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Product: mozilla.org → NSS
Product: NSS → CA Program
You need to log in before you can comment on or make changes to this bug.