Re: interesting issue found yesterday

I'm unfamiliar with the specifics of the AIA attribute, and what
browsers are *required* to do.  However, this could have been prevented
by simply visiting the site with all of the major browsers (assuming
this is a widespread problem, and not just a misconfiguration of your
browser).

serge

Timothy Hahn wrote:
> 
> Yngve and Serge,
> 
> Thanks for the responses.
> 
> How could we describe, to server administrators what they need to be
> aware of in order to configure their sites correctly?
> 
> From both of your responses, this sounds like something that COULD have
> been avoided had the website administrator "done the right thing".  What
> is that "right thing" which they need to do?
> 
> Should user agents also be prepared to follow/refer to URLs in AIA
> attributes within SSL server certificates?
> 
> Regards,
> Tim Hahn
> 
> Internet: hahnt@us.ibm.com
> Internal: Timothy Hahn/Durham/IBM@IBMUS
> phone: 919.224.1565     tie-line: 8/687.1565
> fax: 919.224.2530
> 
> 
> 
> *"Yngve Nysaeter Pettersen" <yngve@opera.com>*
> Sent by: public-wsc-wg-request@w3.org
> 
> 03/14/07 10:43 AM
> Please respond to
> yngve@opera.com
> 
> 
> 	
> To
> 	Timothy Hahn/Durham/IBM@IBMUS, public-wsc-wg@w3.org
> cc
> 	
> Subject
> 	Re: interesting issue found yesterday
> 
> 
> 	
> 
> 
> 
> 
> 
> 
> Hello Tim,
> 
> On Wed, 14 Mar 2007 15:01:23 +0100, Timothy Hahn <hahnt@us.ibm.com> wrote:
> 
>> On page load - Firefox popped up a message telling me it didn't like the
>> company's Server certificate!!!  So I investigated.  The indication was
>> that the cert was signed by an unknown signer.  So I looked at the signer
>> information.  It said "Verisign Class 3 ..." from "Verisign. Inc.".
>>
>> So I looked at my set of known CA signer certificates ... I have 3 (count
>> 'em 3) Verisign Class 3 CA signer certificates known to my Firefox
>> install.
>>
>> So how could it be that I don't have the "right one"?  (actually, I know
>> how it could be - Verisign created a new one, and I didn't know I was
>> supposed to go out and get it ... or I have a Firefox install that hadn't
>> had the right CA signer's update applied).
>>
>> Everything looks right ... even to my eyes which ought to know better ...
>> what could possibly be the issue?
> 
> You may have encountered a website that is missing the Intermediate CA  
> certificate from Versign. AFAIK, Verisign class 3 certs are usually  
> organized subscriber->intermediate->root .
> 
> What happens in some cases is that IE will download the intermediate if it  
> is missing and there is a URL (the AIA attribute) in the site certificate,  
> which means it will not complain. AFAIK Mozilla (and Opera) does not do  
> this, which means that we are not able to complete the chain, and pop up a  
> certificate warning
> 
> This is a configuration issue on the server.
> 
> 
> -- 
> Sincerely,
> Yngve N. Pettersen
> 
> ********************************************************************
> Senior Developer                                               Email:
> yngve@opera.com
> Opera Software ASA                   http://www.opera.com/
> Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
> ********************************************************************
> 
> 

-- 
/*
Serge Egelman

PhD Candidate
Vice President for External Affairs, Graduate Student Assembly
Carnegie Mellon University

Legislative Concerns Chair
National Association of Graduate-Professional Students
*/

Received on Wednesday, 14 March 2007 16:11:20 UTC