Like Richard said, mozilla::pkix requires the trust anchor for a client
auth certificate to have the email trust bit set. However, if my
understanding is correct, the only time Firefox (or any gecko-based
product, I believe) asks mozilla::pkix to verify a client auth
certificate is in the certificate viewer, where the platform is trying
to answer the question, "What are all of the usages this certificate is
valid for?". So, that's really only for display purposes.
Indeed, (and again if my understanding is correct) it doesn't matter
what Firefox thinks of the trustworthiness of a client auth certificate.
It only matters what the server on the other end of the connection thinks.
That said, it would be a bit silly if Firefox offered to use a
certificate that it knew had no hope of being accepted by the server, so
there remains the question of how Firefox picks candidate certificates
that might be used as client auth certificates. For that, the platform
delegates to NSS, where as far as I can tell the trust bits are
irrelevant. That is, when the platform calls CERT_FindUserCertsByUsage
looking for certificates valid for the certUsageSSLClient usage, NSS
doesn't require a trust anchor.
Hope this helps,
David
> <mailto:
dev-se...@lists.mozilla.org>
>
https://lists.mozilla.org/listinfo/dev-security
>
>
>