- From: Yngve Nysaeter Pettersen <yngve@opera.com>
- Date: Wed, 14 Mar 2007 17:25:54 +0100
- To: "Timothy Hahn" <hahnt@us.ibm.com>, public-wsc-wg@w3.org
On Wed, 14 Mar 2007 17:01:40 +0100, Timothy Hahn <hahnt@us.ibm.com> wrote: > Yngve and Serge, > > Thanks for the responses. > > How could we describe, to server administrators what they need to be > aware > of in order to configure their sites correctly? > >> From both of your responses, this sounds like something that COULD have > been avoided had the website administrator "done the right thing". What > is that "right thing" which they need to do? AFAIK (Philip probably know this betterthan me) the site administrator gets a list of certificates to be installed, and all of them must be installed and sent by the server. That this is done correctly will in fact become even more important when a site installs an EV certificate. > Should user agents also be prepared to follow/refer to URLs in AIA > attributes within SSL server certificates? Maybe, but it complicates the certificate verification process quite a bit (even more so than OCSP). There will still be old clients in use for years that does not have the capability. > Regards, > Tim Hahn > > Internet: hahnt@us.ibm.com > Internal: Timothy Hahn/Durham/IBM@IBMUS > phone: 919.224.1565 tie-line: 8/687.1565 > fax: 919.224.2530 > > > > > "Yngve Nysaeter Pettersen" <yngve@opera.com> > Sent by: public-wsc-wg-request@w3.org > 03/14/07 10:43 AM > Please respond to > yngve@opera.com > > > To > Timothy Hahn/Durham/IBM@IBMUS, public-wsc-wg@w3.org > cc > > Subject > Re: interesting issue found yesterday > > > > > > > > Hello Tim, > > On Wed, 14 Mar 2007 15:01:23 +0100, Timothy Hahn <hahnt@us.ibm.com> > wrote: > >> On page load - Firefox popped up a message telling me it didn't like the >> company's Server certificate!!! So I investigated. The indication was >> that the cert was signed by an unknown signer. So I looked at the > signer >> information. It said "Verisign Class 3 ..." from "Verisign. Inc.". >> >> So I looked at my set of known CA signer certificates ... I have 3 > (count >> 'em 3) Verisign Class 3 CA signer certificates known to my Firefox >> install. >> >> So how could it be that I don't have the "right one"? (actually, I know >> how it could be - Verisign created a new one, and I didn't know I was >> supposed to go out and get it ... or I have a Firefox install that > hadn't >> had the right CA signer's update applied). >> >> Everything looks right ... even to my eyes which ought to know better > ... >> what could possibly be the issue? > > You may have encountered a website that is missing the Intermediate CA > certificate from Versign. AFAIK, Verisign class 3 certs are usually > organized subscriber->intermediate->root . > > What happens in some cases is that IE will download the intermediate if > it > is missing and there is a URL (the AIA attribute) in the site > certificate, > which means it will not complain. AFAIK Mozilla (and Opera) does not do > this, which means that we are not able to complete the chain, and pop up > a > certificate warning > > This is a configuration issue on the server. > > -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
Received on Wednesday, 14 March 2007 16:30:38 UTC