Re: interesting issue found yesterday from Timothy Hahn on 2007-03-14 (public-wsc-wg@w3.org from March 2007)

From: Timothy Hahn <hahnt@us.ibm.com>
Date: Wed, 14 Mar 2007 12:01:40 -0400
To: public-wsc-wg@w3.org
Message-ID: <OF1DB5BA9F.BB7AB8D4-ON8525729E.0056B952-8525729E.00580B2C@us.ibm.com>

Yngve and Serge,

Thanks for the responses.

How could we describe, to server administrators what they need to be aware 
of in order to configure their sites correctly?

>From both of your responses, this sounds like something that COULD have 
been avoided had the website administrator "done the right thing".  What 
is that "right thing" which they need to do?

Should user agents also be prepared to follow/refer to URLs in AIA 
attributes within SSL server certificates?

Regards,
Tim Hahn

Internet: hahnt@us.ibm.com
Internal: Timothy Hahn/Durham/IBM@IBMUS
phone: 919.224.1565     tie-line: 8/687.1565
fax: 919.224.2530




"Yngve Nysaeter Pettersen" <yngve@opera.com> 
Sent by: public-wsc-wg-request@w3.org
03/14/07 10:43 AM
Please respond to
yngve@opera.com


To
Timothy Hahn/Durham/IBM@IBMUS, public-wsc-wg@w3.org
cc

Subject
Re: interesting issue found yesterday







Hello Tim,

On Wed, 14 Mar 2007 15:01:23 +0100, Timothy Hahn <hahnt@us.ibm.com> wrote:

> On page load - Firefox popped up a message telling me it didn't like the
> company's Server certificate!!!  So I investigated.  The indication was
> that the cert was signed by an unknown signer.  So I looked at the 
signer
> information.  It said "Verisign Class 3 ..." from "Verisign. Inc.".
>
> So I looked at my set of known CA signer certificates ... I have 3 
(count
> 'em 3) Verisign Class 3 CA signer certificates known to my Firefox
> install.
>
> So how could it be that I don't have the "right one"?  (actually, I know
> how it could be - Verisign created a new one, and I didn't know I was
> supposed to go out and get it ... or I have a Firefox install that 
hadn't
> had the right CA signer's update applied).
>
> Everything looks right ... even to my eyes which ought to know better 
...
> what could possibly be the issue?

You may have encountered a website that is missing the Intermediate CA 
certificate from Versign. AFAIK, Verisign class 3 certs are usually 
organized subscriber->intermediate->root .

What happens in some cases is that IE will download the intermediate if it 
 
is missing and there is a URL (the AIA attribute) in the site certificate, 
 
which means it will not complain. AFAIK Mozilla (and Opera) does not do 
this, which means that we are not able to complete the chain, and pop up a 
 
certificate warning

This is a configuration issue on the server.


-- 
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer                                              Email: 
yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

Received on Wednesday, 14 March 2007 16:01:54 UTC