-----------
| ----- | -------
| | | | | |
------- | | ------- ------- |
|CA1c1|<- -->|CA2c2| |CA2c1|<--
------- ------- -------
| | |
| --------- | --------- |
->|CA1U1c1| ->|CA2U1c1|<-
--------- ---------I am only setting up trust in one direction at the moment, from CA1 to CA2. CA1U1 and CA2U1 are certificates for the organizations corresponding SMTP servers. CA2c2 is cross-signed by CA1c1. Both CA2c1 and CA2c2 have a subject key identifier set with is a hash of the public key and the identifiers are the same on both certificates. CA2U1c1 has a authority key identifier set only to the hash which is in the subject key identifier of both CA2c1 and CA2c2. I have Mozilla Thunderbird setup on two side-by-side computers. One is loaded and set to trust CA1c1 and the other, CA2c1. Currently Thunderbird on CA2 can access the SMTP server using CA2U1c1 without any problem, but Thunderbird loaded with CA1 cannot. I modified sendmail.cf to use a CAfile containing CA2c2 and ran Wireshark while sending mail from both computers. Now Thunderbird on CA1 can correctly connect to CA2U1c1 and show a trust from CA1c1 -> CA2c2 -> CA2U1c1 and Wireshark reveals that Sendmail is advertising CA2U1c1 and CA2c2, but now Thunderbird on CA2 fails with a missing authority. The certificate view shows CA2U1c1 and CA2c2, even though it has CA2c1 in it's trusted authority database and has the same subject and subject key identifier. Is this a limitation of Thunderbird or is there a way to get both computers to accept the certificate without loading the cross certificates on the clients. Removing the CAfile configuration from Sendmail restored the trust on CA2 and removed the trust on the CA1 client.
-- Loren M. Lang [EMAIL PROTECTED] http://www.north-winds.org/ Public Key: ftp://ftp.north-winds.org/pub/lorenl_pubkey.asc Fingerprint: CEE1 AAE2 F66C 59B5 34CA C415 6D35 E847 0118 A3D2
signature.asc
Description: OpenPGP digital signature
