User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3a) Gecko/20021205 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.3a) Gecko/20021205 I received a message from bclary@netscape.com. Its digital signature was marked as invalid. When chatting with bclary@netscape.com, we came to the conclusion that there may be an issue with OCSP after we did some troubleshooting. Reproducible: Always Steps to Reproduce: 1. Turn OCSP on. 2. Receive a message from bclary@netscape.com. 3. Look at the certificate. Actual Results: The certificate says it is invalid. When looking in cert manager, it says it is invalid for unknown reasons. Expected Results: It should mark the certificate okay. With OCSP off, the certificate appears okay. Chat log, showing troubleshooting steps. (Sorry for unreadability, Chatzilla bug). I am brantgurga, bclary@netscape.com is bc. [INFO] Channel view for ``#evangelism'' opened. === *** Your host is irc.mozilla.org[irc.mozilla.org/6667], running version 2.8/hybrid-6.0 -->| YOU have joined #evangelism =-= Topic for #evangelism is ``Don't forget to put domain in front of Evang bug summaries, Table-less CSS layout at http://www.w3.org/'' =-= Topic for #evangelism was set by bc on Fri Dec 06 2002 12:19:09 GMT-0500 (US Eastern Standard Time) brantgurga bc: The signature issue is still there with the message you just sent. bc but is it not recognized by your mailer? the root authority for it is GTE CyberTrust Root brantgurga from "Message Security" dialog in Mozilla Mail: "The certificate used to sign the message was issued by a certificate authority that you do not trust for issuing this kind of certificate." bc right but if you did trust GTE CyberTrust Root (which is external to AOL) then you would 'trust' the signature. It doesn't show as broken signature does it? Just not known? brantgurga I does say the signature is invalid. but gives that as the reason bc Ok. fine with me. wonder if we should get mozilla to trust GTE? who do they trust? brantgurga There are two CyberTrust builtin certs GTE CyberTrust Root GTE CyberTrust Global Root bc so why do you show you dont trust it? brantgurga The intranet certificate appears okay in cert manager under GTE But your cert says "Could not verify this certificate for unknown reasons." bc heh brantgurga possible reason: Intranet Certificate Authority - GTE Corporation cert has been verified for the following uses: SSL Certificate Authority message signing does not appear in that list bc do you use OCSP? brantgurga yes, but I don't see OCSP errors bc funny cause when i view the cert it says "This certificate has been verified for the following uses: Email Signer Certificate" brantgurga bug in Mozilla? bc what do you y have OCSP set to? brantgurga validate only certs that give OCSP URL bc Mozilla/NS wont let me sign mail with a cert that isn't for signing hmm well, either that or in the cert issuances brantgurga seeing if anything changes if I turn OCSP off OCSP off, the signature appears as valid bc file a bug and tell em to ask me for an email if they want a test case. :-) brantgurga do you want CC? bc sure brantgurga MailNews or PSM? bc PSM I guess. If they don't want it they will give it away brantgurga guessing PSM: S/MIME

Adding bclary so he can follow bug progress as well.

send me a message so I can look at the URL in the OCSP extension in the certificate.

done FYI: the cert I am using to sign mail is my AOL issued cert for that purpose.

Changed the summary. We determined that certificates.netscape.com is inside the firewall, and hence when a signed message goes out to someone beyond the firewall, they would not be able to reach the OCSP responder, which would generate an invalid signature icon in the message. However, the error text, "Could not verify the message for unknown reasons" could be more specific - it should indicate that the OCSP server was unavailable to verify the certificate used to sign the message.

Also the error text displayed when the signing certificate has been revoked is incorrect: "The certificate used to sign the message was issued by a certificate authority that you do not trust for issuing this kind of certificate" Should be more like: "The certificate used to sign the message has been revoked by the issuing certificate authority."

*** Bug 136469 has been marked as a duplicate of this bug. ***

currently, it is even worse: denial of service occurs for example upon certificate import (see Bug 331336)

Related: Bug 91403 - (unknownreason) "Could not verify this certificate for an unknown reason" is not good enough