Hans

@hans:  as I understand it the compatibility is on the shoulder of the signing authority, because browsers need to recognize the signing authority URL. So the cert issuers need to make sure they are backward compatible with what the browsers already trust. I saw Verisign come up in FF1.5 as untrusted just this month, for example, and that’s Verisign the mother of all signing authorities.

Another example of Verisign wierdness: Verisign claims “universal browser compatibility” for their certificates (see http://www.verisign.com/ssl/buy-ssl-certificates/secure-site-services/index.html)  But if you go to their “Browser Check” page where it says:

With one click, Browser Check instantly tells you: * What browser and version you’re using * Your browser’s encryption strength-standard 40-bit SSL, or 128-bit SSL: the strongest encryption available * Upgrade recommendations

and click “check browser” using Firefox 3, it comes up with a manual selection request offering me choices of Netscape Communicator or Internet Explorer versions 4 and less. It apparently couldn’t recognize FF3 and thus can’t “auto detect”?  What does that mean for their certificates? It shouldn’t matter because they are supposed to present a root URL that is in the browser’s trusted signing authority list. But it does make me wonder if the signing authority is simply trusting that the Firefox folks will make sure their browser includes the appropriate URLs for Verisign, instead of the other way around (Verisgn maintaining backward compatibility with old browsers, and actually testing browsers before claiming “browser ubiquity”).

Consumer science says the cert seller is responsible for “merchantability and fitness for purpose” and so I encourage buyers to question their vendors when compatibility is an issue. You can’t do that if you don’t check, and if you’re not checking (and the sellers aren’t checking) the only one losing a sale is you.

thank you so much for reminding me