Re: [apache-ssl] Automatic configuration of CA browser list

To: apache-ssl@lists.aldigital.co.uk
Subject: Re: [apache-ssl] Automatic configuration of CA browser list
From: "Thomas A. Fine" <fine@hawkmoth.net.ohio-state.edu>
Date: Tue, 12 May 1998 16:27:29 GMT
Delivered-To: mailing list apache-ssl@lists.aldigital.co.uk
In-Reply-To: <199805081958.TAA13636@hawkmoth.net.ohio-state.edu> from Thomas A. Fine
Mailing-List: contact apache-ssl-help@lists.aldigital.co.uk; run by ezmlm
Organization: http://www.apache-ssl.org
Reply-To: apache-ssl@lists.aldigital.co.uk

[sorry about answering my own message]
I wrote:
>I was under the strong impression that when a browser connects to a server
>with a certificate signed by an unknown CA, that it would give you the
>option of accepting either the site certificate, or the new CA.
>
>I even believe that I have seen netscape ask me this before.  And the
>SSL FAQ says something along these lines also (section 9.2, under the
>"Note:").

Short answer, I was wrong.

I sent email to one of the SSLeay maintainers (Tim Hudson) about the FAQ,
and he answered that it was poorly worded, having been written before
Netscape Nav. distinguished between site certificates and CA certificates.
This probably also explains my shoddy memory (at least, so I'd like to
believe :-).

Only site certificates can be automatically configured.  CA certificates
must be explicitly downloaded by the browser.

       tom

References:
- Automatic configuration of CA browser list
  - From: "Thomas A. Fine" <fine@hawkmoth.net.ohio-state.edu>

Prev by Date: Re: [apache-ssl] Using Verisign certificates
Next by Date: Re: [apache-ssl] Using Verisign certificates
Prev by thread: Re: [apache-ssl] Automatic configuration of CA browser list
Next by thread: SSLEnable ? Please ?
Index(es):
- Date
- Thread