[TDB 45.8.0] Thunderbird doesn't accept non-CA self signed certificates for e-mail signature verification

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

[TDB 45.8.0] Thunderbird doesn't accept non-CA self signed certificates for e-mail signature verification

NovHak
Dear forum readers,

I use self-signed certificates. As long as it's not for a large public, trust can be achieved that way : the certificate is sent to a friend, its fingerprint is then verified via a secure (enough) channel such as a phone call, and that's fine.

Hence I was sure this wouln't be a problem on Mozilla's products, so this came to me as a surprise when I discovered I can't deliver my own self-signed certificate to my friends using Thunderbird. It says the certificate can't be verified and won't be imported. Adding the certificate in the autorities list is rejected too, with the reason it's not a CA.

While I could set the CA bit on my certificate, that's a problem since it means it can be used to sign other certificates and has bigger trust implications that just accepting one certificate : recognizing my signature is one thing, accepting that I may act as a CA is clearly another matter. Contrary to some beliefs, setting pathlen=0 doesn't solve the problem since the pathlen attribute indicates how many non self-issued intermediate CAs are permitted in the certification path. So, pathlen=0 still enables signing of end entity certificates such as, say, a secure online banking website. Let's face it, that's not the kind of trust everbody is ready to give me...

That's why there should be a way to give trust to non-CA self-signed certificates.

Thanks for reading me !

--
Olivier
--
dev-tech-crypto mailing list
[hidden email]
https://lists.mozilla.org/listinfo/dev-tech-crypto