Merike said:
The site I have problem with is
www.ekool.ee.
My browser is IE 6 with SP2 and OS XP Professional.
My clock shows the right date and time and the expiration date of
certificate shouldn't matter since it expires in November 2005. The
only
error it shows is mentioned above, it even says the certificate is
valid.
Adding site to trusted sites list didn't help. I viewed the
sertificate and
it shows that it is issued by KLASS3-SK. Is there list for trusted
certificate issuers so I can add that one?
Going to
www.ekool.ee results in this site forcing a secure connection
(i.e., it wants to use SSL for an HTTPS connect). I get "revocation for
this certificate is not available". That means IE couldn't contact the
CA (certificate authority) listed in the certificate to verify that it
has not been revoked. Yes, the content of the certificate is okay
because it has not been altered. Even an expired or revoked certificate
can be "okay" regarding its content if it has not been modified.
When you visit
https://mail.yahoo.com and double-click on the padlock
icon in the status bar, the cert details under the CRL Distribution
Points shows a contact URL where to check for revocation
("URL=
http://crl.verisign.com/RSASecureServer.crl" for Yahoo Mail, which
uses Verisign). For your
www.ekool.ee site, its CRL is listed as
"URL=
http://www.sk.ee/crls/klass3/klass3.crl", which isn't reachable,
down, or the path is invalid to the .crl revocation file). Yet I was
able to download that .crl file so I don't know why IE couldn't check it
for revocation of the cert used at the
www.ekool.ee site. I did see
that the cert's serial number for that site and those listed in their
..crl revocation list were pretty short at just 4 bytes long (32 bits).
The serial number for Yahoo Mail's cert is 16 bytes long (128 bits), as
is the cert's serial number for my bank's secured web page, as is
PayPal's, eBay's, and several other HTTPS sites that I checked.
ekool.ee's serial number is the shortest that I remember seeing, so
maybe they aren't valid. Although I glanced at several sites discussing
how PKI works, they didn't mention how serial numbers are managed.
Could be that is CA dependent (i.e., their choice). However, it looks
like ekool.ee is getting their cert from sk.ee and 4 bytes gives them
3,000 times the number of serial numbers as for their population. I did
find:
"The serial number MUST be a positive integer assigned by the CA to each
certificate. It MUST be unique for each certificate issued by a given CA
(i.e., the issuer name and serial number identify a unique certificate).
CAs MUST force the serialNumber to be a non-negative integer.
Given the uniqueness requirements above, serial numbers can be expected
to contain long integers. Certificate users MUST be able to handle
serialNumber values up to 20 octets. Conformant CAs MUST NOT use
serialNumber values longer than 20 octets. "
But that doesn't specify any minimum length for the serial number. Also
note that they are forcing an HTTPS connection and something you have
configured in IE prompts that you are trying to make that secured
connection but haven't included that site as trusted.