Open
Bug 385601
Opened 18 years ago
Updated 2 years ago
When importing an email certificate, Thunderbird does not check the whole CA hiearchy
Categories
(MailNews Core :: Security: S/MIME, defect)
MailNews Core
Security: S/MIME
Tracking
(Not tracked)
UNCONFIRMED
People
(Reporter: oto, Unassigned)
Details
(Whiteboard: [psm-smime][psm-cert-manager])
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.4
Build Identifier: MozillaThunderbird version 2.0.0.4 (20070604)
When importing an email certificate to the Other People's tab, a certificate hiearchy is not checked from root. Therefore, if the email certificate is not signed directly by a trusted CA, but by an intermediate CA (which is a case of Thawte), the import fails.
User has to import any intermediate CA's manually - which makes the presence of Thawte Root CA in a default instalation useless.
Reproducible: Always
Steps to Reproduce:
1. Ensure that "Thawte Personal Freemail Issuing CA" is not in the Authorities Tab (because this is the default)
2. Download the email certificate from http://oto.valek.net/oto@valek.net.der
3. Try to import it using the "Import" button on Other People's tab
Actual Results:
The import fails with a "certificate can't be verified" message
Expected Results:
This certificate CAN be verified and should be imported. It includes whole and valid certificate chain and the root certificate (Thawte Personal Freemail CA) is among the builtin authorities.
+ Thawte Personal Freemail CA [root CA certificate]
+ Thawte Personal Freemail Issuing CA [intermediate CA certificate]
+ Oto Válek [email user certificate]
User has to circumvent this problem by either
- extracting the "Thawte Personal Freemail Issuing CA" certificate from the file
- importing it to the Authorities Tab manually
- importing the email certificate again
or
- wait for some signed email to arrive - because in this case, the "Thawte Personal Freemail Issuing CA" is added to the Authorities Tab automatically and without asking (!)
or
- import his own .p12 private key from Thawte - because in this case, the "Thawte Personal Freemail Issuing CA" is added to the Authorities Tab too ...
A further test with http://oto.valek.net/oto@valek.net.p7b :
With this (PKCS7) format, certificate is imported and the "Thawte Personal Freemail Issuing CA" is added to the Authorities tab, which is all OK.
However, the "certificate can't be verified and will not be imported" message is still shown. Thunderbird also does not recognize the .p7b extension as supported.
|
||
Comment 2•16 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Lightning/1.0pre Thunderbird/3.0b3
I have tested Both case metionned in comment #1 and #2
For certificate Comment #1: The certificate is not imported with no message/pop up and nothing in the message console.
For Certificate Comment #2 the .p7b extension is not recognized , the certificate is correctly imported but with the alert message
"This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved."
Hope this helps
|
||
Comment 3•16 years ago
|
||
kaie what would you need to further investigate the issue ?
|
||
Updated•15 years ago
|
Assignee: kaie → nobody
Whiteboard: [psm-smime][psm-cert-manager]
|
|
||
Comment 4•9 years ago
|
||
Removing myslef on all the bugs I'm cced on. Please NI me if you need something on MailNews Core bugs from me.
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•