On 11/2/2011 6:39 AM, Ludolf Holzheid wrote:
On Wed, 2011-11-02 05:41:57 -0400, al_9x@yahoo.com wrote:
The concept of trusted server certs (as opposed to trusted authority certs) is well established. Firefox cert manager, for example, has a servers tab where you can import and trust specific server certs (self signed and not)
And Firefox accepts such certificates even if they can't be validated (and thus are to be considered invalid)?I would regard this as a bug or at least as a design flaw...
They *are* validated, by the user's explicit grant of trust to the imported server cert. The flaw is not in Firefox but your understanding of trust. The reason you walk the trust chain to a trusted root is because normally (standard PKI model) you don't trust individual server certs, but only CA roots. However if (for whatever reason) you do explicitly trust a server cert, no further validation is needed.