Last Comment Bug 531160 - libpkix ignores the P (trusted peer) trust flag
: libpkix ignores the P (trusted peer) trust flag
Status: RESOLVED DUPLICATE of bug 647364
:
Product: NSS
Classification: Components
Component: Libraries (show other bugs)
: 3.12.4
: All All
: -- normal with 4 votes (vote)
: 3.13.3
Assigned To: Wan-Teh Chang
:
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2009-11-25 14:22 PST by Wan-Teh Chang
Modified: 2012-02-10 14:11 PST (History)
5 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---


Attachments

Description Wan-Teh Chang 2009-11-25 14:22:04 PST
I created a self-signed server certificate and added it to
my NSS certificate database with the "P,," trust flags.

This allows CERT_VerifyCertNow to verify the certificate
successfully.  However, CERT_PKIXVerifyCert still fails
with the SEC_ERROR_UNKNOWN_ISSUER error (-8179).  I have
to set the "C,," trust flags to make CERT_PKIXVerifyCert
succeed, but trusting a self-signed server certificate
as a CA ('C' means "trusted CA to issue server certificates")
gives more trust to the certificate than necessary.
Comment 1 Nicholas Tung 2010-02-24 08:25:45 PST
I'm using this for a specific domain's self signed certificate. Does anyone know if the "C" flag allows the domain to sign arbitrary other domains, like gmail.com?

Thanks,
Nicholas
Comment 2 Nelson Bolyard (seldom reads bugmail) 2010-02-24 11:02:24 PST
Nicholas, questions like yours should be asked in mozilla.dev.tech.crypto newsgroup or dev-tech-crypto mailing list.
Comment 3 Wan-Teh Chang 2012-02-10 14:11:16 PST
Marked this bug as a duplicate even though this bug was filed first.
The other bug has more info.

*** This bug has been marked as a duplicate of bug 647364 ***

Note You need to log in before you can comment on or make changes to this bug.