Bug#703587: libnss3 update disables some (self signed) certs (with Icedove)

Philonous Atio philatio at sogetthis.com
Sun Mar 24 12:40:30 UTC 2013


On Sun, 24 Mar 2013 01:41:34 -0400, Daniel Kahn Gillmor wrote:

> i think you should have the remote server's certificate loaded in your "Servers" tab, not in your "Authorities" tab.

Perhaps my phrasing was not quite clear, but the remote server's 
certificate was NOT loaded into the Authorities section -- I wanted to 
avoid the need to load the server's certificate at all. I meant to 
convey that a self-signed Certificate Authority (CA) signed the server's 
certificate. It was the self-signed Certificate Authority's certificate 
that was loaded into the "Authorities" section (i.e. root key store) of 
Icedove. That CA has signed multiple certificates used in various 
places. The key material for the Certificate Authority is well guarded.

I'll admit my knowledge of Public Key Infrastructure policies and 
procedures is weak. But it is my understanding that other organizations, 
such as MIT, do exactly what I have described above. If what I have 
described entails undue security risk, please advise.

Many thanks,
Phil



More information about the pkg-mozilla-maintainers mailing list