- From: Kingsley Idehen <kidehen@openlinksw.com>
- Date: Tue, 02 Oct 2012 15:50:18 -0400
- To: public-xg-webid@w3.org
- Message-ID: <506B457A.4030208@openlinksw.com>
On 10/2/12 3:33 PM, David Chadwick wrote: > Hi Kingsley > > finally its working, but Thunderbird has a bug in it which fooled me > for some time. I imported your CA cert, said it was trusted to issue > email certs, but Thunderbird still kept saying your signature was > invalid, even though it showed the cert was issued by this trusted CA. > > Eventually I decided to shut down Thunderbird and restart it, and > magically your signature became trusted. So it appears that > Thunderbird is not dynamically updating its in-memory record of > trusted CAs used for signature verification, so that the list of > trusted CAs on disc becomes out of sync with the in-memory copy. Great to see you've made progress. Thanks for the headsup re. Thunderbird, I need to update my howto guide accordingly. Next stop, adding CA WebIDs to CA certs., then automatically adding said WebID to Issuer Alternative Name slot when issuing certificates. Net effect, via email you can follow-your-nose to the CA certs. public en route to importing into local key stores. Kingsley > > regards > > David > > On 01/10/2012 15:48, Kingsley Idehen wrote: >> On 10/1/12 7:57 AM, David Chadwick wrote: >>> Kingsley >>> >>> the problem I have is that the signer's self signed certificate is not >>> available to me. >> >> Good point! This where the value of Issuer Alternative Name would come >> into play. Basically, the Cert issuer's WebID goes in there and it then >> enables you de-ref the signers public key. We are adding that to all our >> generators. >> >>> Your S/MIME cert did not include the issuer's cert in the certificate >>> chain, so where do I get it from? Without this root cert I am not able >>> to validate your cert. When sending signed email, isnt it possible to >>> include the full cert path? >> >> In the meantime, our signer's cert is available from: >> https://www.dropbox.com/s/uig83k71kym398f/OpenLink%20Local%20CA%20Cert.crt >> >> . >>> >>> Or is that your email client is sending it, but Thunderbird is hiding >>> it from me? >> >> No, right now you need to be able to de-reference its form a URL. >> >> Kingsley >>> >>> regards >>> >>> David >>> >>> >>> On 30/09/2012 18:11, Kingsley Idehen wrote: >>>> On 9/30/12 7:05 AM, Melvin Carvalho wrote: >>>>>>> >> >>>>>> >Why? what do I gain from doing this - consider me a naive outsider >>>>>> > >>>>>> > >>>>> Essentially this links your email to your WebID / Social Graph in a, >>>>> standards compliant, machine readable way. >>>>> >>>>> I've imported my cert into thunderbird and imported the root node as >>>>> a CA >>>>> but I get >>>>> >>>>> "Sending of message failed. >>>>> Unable to sign message. Please check that the certificates >>>>> specified in >>>>> Mail & Newsgroups Account Settings for this mail account are valid >>>>> and >>>>> trusted" >>>>> >>>>> http://kb.mozillazine.org/Message_security >>>>> >>>>> Verify whether all parent nodes of the certificate are in your >>>>> list of >>>>> trusted CAs, and whether they can be used to identify mail users >>>>> >>>>> Looks I've done this but it still throws an error. I've had bugs in >>>>> thunderbird before wrt security. Not sure on this one ... >>>>> >>>> >>>> You have to ensure the the following: >>>> >>>> 1. signer certificate is imported via "Authorities" tab >>>> 2. personal certificates (signed using the signer cert.) are imported >>>> into "Your Certificates" tab >>>> 3. email address in the certificate matches the email address of the >>>> Thunderbird account being configured. >>>> >>>> You can also read: >>>> >>>> 1. http://bit.ly/NrzHNY -- using Thunderbird to send digitally signed >>>> email . >>>> >>> >>> >> >> > > > -- Regards, Kingsley Idehen Founder & CEO OpenLink Software Company Web: http://www.openlinksw.com Personal Weblog: http://www.openlinksw.com/blog/~kidehen Twitter/Identi.ca handle: @kidehen Google+ Profile: https://plus.google.com/112399767740508618350/about LinkedIn Profile: http://www.linkedin.com/in/kidehen
Attachments
- application/pkcs7-signature attachment: S/MIME Cryptographic Signature
Received on Tuesday, 2 October 2012 19:50:45 UTC