- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Wed, 14 Mar 2007 12:09:48 -0400
- To: Timothy Hahn <hahnt@us.ibm.com>
- CC: public-wsc-wg@w3.org
I'm unfamiliar with the specifics of the AIA attribute, and what browsers are *required* to do. However, this could have been prevented by simply visiting the site with all of the major browsers (assuming this is a widespread problem, and not just a misconfiguration of your browser). serge Timothy Hahn wrote: > > Yngve and Serge, > > Thanks for the responses. > > How could we describe, to server administrators what they need to be > aware of in order to configure their sites correctly? > > From both of your responses, this sounds like something that COULD have > been avoided had the website administrator "done the right thing". What > is that "right thing" which they need to do? > > Should user agents also be prepared to follow/refer to URLs in AIA > attributes within SSL server certificates? > > Regards, > Tim Hahn > > Internet: hahnt@us.ibm.com > Internal: Timothy Hahn/Durham/IBM@IBMUS > phone: 919.224.1565 tie-line: 8/687.1565 > fax: 919.224.2530 > > > > *"Yngve Nysaeter Pettersen" <yngve@opera.com>* > Sent by: public-wsc-wg-request@w3.org > > 03/14/07 10:43 AM > Please respond to > yngve@opera.com > > > > To > Timothy Hahn/Durham/IBM@IBMUS, public-wsc-wg@w3.org > cc > > Subject > Re: interesting issue found yesterday > > > > > > > > > > Hello Tim, > > On Wed, 14 Mar 2007 15:01:23 +0100, Timothy Hahn <hahnt@us.ibm.com> wrote: > >> On page load - Firefox popped up a message telling me it didn't like the >> company's Server certificate!!! So I investigated. The indication was >> that the cert was signed by an unknown signer. So I looked at the signer >> information. It said "Verisign Class 3 ..." from "Verisign. Inc.". >> >> So I looked at my set of known CA signer certificates ... I have 3 (count >> 'em 3) Verisign Class 3 CA signer certificates known to my Firefox >> install. >> >> So how could it be that I don't have the "right one"? (actually, I know >> how it could be - Verisign created a new one, and I didn't know I was >> supposed to go out and get it ... or I have a Firefox install that hadn't >> had the right CA signer's update applied). >> >> Everything looks right ... even to my eyes which ought to know better ... >> what could possibly be the issue? > > You may have encountered a website that is missing the Intermediate CA > certificate from Versign. AFAIK, Verisign class 3 certs are usually > organized subscriber->intermediate->root . > > What happens in some cases is that IE will download the intermediate if it > is missing and there is a URL (the AIA attribute) in the site certificate, > which means it will not complain. AFAIK Mozilla (and Opera) does not do > this, which means that we are not able to complete the chain, and pop up a > certificate warning > > This is a configuration issue on the server. > > > -- > Sincerely, > Yngve N. Pettersen > > ******************************************************************** > Senior Developer Email: > yngve@opera.com > Opera Software ASA http://www.opera.com/ > Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 > ******************************************************************** > > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Wednesday, 14 March 2007 16:11:20 UTC