Poor User Experience Downloading Digital Certificates in Navigator
Steve Liu
that this group exists, and I'm hoping some experts in certificate servers may be
able to chime in as well...for anyone who can help, the original question is
attached at the bottom. Thanks.)
Nelson,
Thanks again for the information. To answer your questions...
* The Verisign exercise was done with a completely new Communicator profile, with no
DB password.
* All the old certs were (and are) still deleted. Currently, there is the client and
the root cert that was installed during the Verisign "one-click" download", and
that's it.
Given that, these questions remain:
1) Given this, can you (or anyone) figure out how Verisign did their "one-click"
download, downloading their root and their client cert in one shot in Navigator? I
would love to find that out.
2) Also, does Netscape have anything that documents what you said about not needing
to download an entire certificate chain? The security vendor we're dealing with
insists that the entire chain must be downloaded.
Thanks!
Steve
"Nelson B. Bolyard" wrote:
> Steve Liu wrote:
> >
> > Nelson,
> >
> > Thanks for your quick reply. This is one of the reasons I am and will
> > continue to be a happy Netscape customer and supporter.
> >
> > I guess my two follow-up questions are:
> >
> > 1) I did a little experiment. First, I cleared my Navigator 4.72 DB of all
> > certificates and CAs. I double-checked that there was no one in the list of
> > "Signers". After rebooting, I went to Verisign and requested a trial client
> > certificate (http://www.verisign.com/client/enrollment/index.html). I
> > received a PIN in e-mail and went to the Verisign URL to get my certificate.
> > In one click, the client certificate and a CA certificate were loaded into
> > my browser, without much, if any, interaction from me.
>
> Was this with a completely new Communicator user "profile"?
> If not, did this profile previously have a DB password?
>
> After rebooting, but before visiting verisign, did you double check to make
> sure that all the certs you had deleted were still deleted?
>
> Deleteing certs in Communicator is an imperfect procedure. Adding a cert
> that's been previously deleted is not necessarily identical to adding a cert
> that's never been in the DB.
>
> > In other words, I was a) not asked to set up a cert DB password, and b)
> > allowed to download the root cert and the client cert in one fell swoop.
> > Do you have any idea how Verisign accomplished this?
>
> Not off the top of my head. I'd guess they used a multi-part MIME file
> for the download. But that's only a wild guess. Assuming your results
> are reproducible, it should be possible to monitor all the traffic between
> your browser and their server to see exactly what they did ... unless they
> use SSL.
>
> > 2) I'm not a developer any more, but evidently our developers need a lesson or
> > two as well; how can the download of the intermediate CA cert and the root CA
> > cert be done in one shot?
>
> It is never neccessary to explicitly download an intermediate CA cert into
> the cert DB, and I'd say doing so is quite undesirable.
>
> > However, in reading the Web site, I noticed mention of a "JavaScript API".
> > Could this be used to address any of the concerns I raised?
>
> Perhaps. But I'm unfamiliar with it.
>
> > Thanks,
> > Steve
>
> --
> Nelson Bolyard Sun / Netscape Alliance
> Disclaimer: I speak for myself, not for Netscape
------- Original Message
Hi. Hope someone on the board can help me.
Our Web site requires users to download client certificates to be able to access the
site. We're both a CA and a root CA.
Microsoft IE users literally can download the certificate in one click, which
downloads the root, the CA cert, and the user cert with one "OK". As you know,
Netscape Navigator forces our users to go through these
steps
Generate a Private Key <read about private key, click>
Setting Up Your Communicator Password <enter blank password pair, click>
Setting Up Your Communicator Password <read warning, click>
New User Certificate <view certificate, click>
Save User Certiciate <read about saving a copy of the certificate,
click>
New Certificate Authority <read about process of accepting CAs, click
Next>
New Certificate Authority <read about CAs, click Next>
New Certificate Authority <examine CA cert, click Next>
New Certificate Authority <check network, e-mail, software developers,
click Next>
New Certificate Authority <check warning box, click Next>
New Certificate Authority <enter CA name, click Finish>
New Certificate Authority <read about process of accepting CAs, click
Next>
New Certificate Authority <read about CAs, click Next>
New Certificate Authority <examine root CA cert, click Next>
New Certificate Authority <check network, e-mail, software developers,
click Next>
New Certificate Authority <check warning box, click Next>
New Certificate Authority <enter root CA name, click Finish>
Our Netscape users have been very vocal in requesting that they not need to click
through 17 screens for what Microsoft IE does in one click.
Question: is there a way to allow one-click download for Netscape users given our
setup?
Thanks,
Steve
stev...@att.net
Nelson B. Bolyard
>
> (BTW: I'm cross-posting this to netscape.dev.certificates, because I just
> realized that this group exists, and I'm hoping some experts in certificate
> servers may be able to chime in as well...for anyone who can help, the
> original question is attached at the bottom. Thanks.)
Steve, I've reformatted your message so the lines aren't wrapped. Please
limit the length of each line in the posting to less than 80 characters.
Thanks.
> Nelson,
>
> Thanks again for the information. To answer your questions...
>
> * The Verisign exercise was done with a completely new Communicator profile,
> with no DB password.
>
> * All the old certs were (and are) still deleted. Currently, there is the
> client and the root cert that was installed during the Verisign "one-click"
> download", and that's it.
If you "edit" the verisign root CA cert in the security window, what does
it show for the 3 trust flags (the 3 check boxes, enabling trust for SSL,
for S/MIME, and for signed objects)? I'd be surprised if the root CA was
trusted for anything at that point, unless you explicitly marked it trusted.
> Given that, these questions remain:
>
> 1) Given this, can you (or anyone) figure out how Verisign did their
> "one-click" download, downloading their root and their client cert in one
> shot in Navigator? I would love to find that out.
Have you read the Netscape Certificate Download Specification ?
It explains how to download PKCS#7 cert chains and "Netscape certificate
sequences".
http://home.netscape.com/eng/security/comm4-cert-download.html
BTW, this is one of many relevant Communicator security documents you'll
find starting at http://home.netscape.com/eng/security/
> 2) Also, does Netscape have anything that documents what you said about
> not needing to download an entire certificate chain? The security vendor
> we're dealing with insists that the entire chain must be downloaded.
I think I wasn't clear about that. In your original email about this, the
one in which you enumerated the many steps your users were going through,
you indicated that you were downloading the intermediate CA separately from
the root CA, as if it was another root CA. Doing it that way, you're
actually telling Communicator to trust the intermediate CA as its own root
CA. That's what I was saying you don't want to do. When you download your
"user cert", the cert for which you already have the private key, you should
get the entire cert chain for that cert with the new cert in the same
download.
I believe that there are two ways for you to accomplish what you want.
They are
a) download the user cert with the cert chain, as documented in the URL
above, and then use the security window to edit the trust flags on the
new root CA cert you just downloaded, or
b) Do a sequence of two downloads. First, download the root CA. During
that sequence, you can mark it trusted for your purposes. Then download
the user cert, including the cert chain for that cert. I'd say this is
the sequence that was intended by the Communicator designers.
> Thanks!
> Steve