Dennis Glatting wrote:
I did not add a Novell root cert. However, NS says there is a "NOVELL
EMPLOYEE CA - NOVELL_INC" and another Novell cert loaded. When I read
your messages I notice your cert listed in "Other People's
Certificates." I can add that cert but I don't that that is your
point, is it?
It may not be a problem of having the cert, just of trust. More below.
It's possible my mail tool modified the input. I am working on my mail
environment, turning off my NeXTSTEP machines, using different mail
tools, adding TLS to secure IMAP transport -- generally having fun.
If the hash-matching were the problem, you would have seen a
different error than what you saw.
When I click on the Invalid Signature icon associated with your
messages NS displays:
The Certificate that was used to digitally
sign this message is invalid.
The error was: The certificate issuer for
this server has been marked as not trusted
by the user. Netscape refuses to connect
to this server.
(I did?)
Please ignore the "Netscape refuses to connect to this server."
and imagine the "for this server" was "for this user" or "for
this peer" or something slightly better like that.
(And don't blame me. It's a long story (and this is hardly
our worst error message, either. ;-) Short explanation: it's
a shared error message that was originally written when the
only thing you did with certificates was SSL.)
What it comes down to is that it means your problem was
one of trust, not of keysize (or modified input).
What do you suggest I do?
You can do one of two things. You can trust Bob's individual
cert directly, or you can trust his CA cert. Both can be
accomplished via the Security Info (aka Security Advisor;
also same thing that comes up when you click on the Invalid
Signature icon in the message or when you click on the Security
button in the toolbar). The CA cert should show up in the
Signers page; Bob's individual cert in the People page. It sounds
like you've already located both. Select the one you want to trust,
and then click on Edit to change the trust.
(BTW, if you're paranoid, you would check that the cert you
are trusting is really the cert you should trust. For example
by calling Bob and asking him to tell you his certificate's
fingerprint. Not that anybody, including those of us who
presumably "know better" *ever* do this. ;-)
lisa