On 3/12/2011 6:22 a.m., Sean Boran wrote:
Well yes, we are trying to incept... I dont see where the "forgery" is, if my proxy CA is trusted and a cert is generated for that target, signed by that CA, why should the browser complain?
The "forgery" is that you are creating a certificate claiming to be fetched from that website and authorizing you to act as their intermediary with complete security clearance. When it is not. Exactly like me presenting someone with a cheque against your bank account signed by myself. Forgery, by the plain and simple definition of the word. This is why the browser complains unless it has explicitly been made to trust the CA you use to sign.
I missed the part where you had your signing CA already in the browser and read that as the browser not complaining when only presented with the plain cert.
And why would FF not complain but IE9 does?
The one complaining does not trust the certificate or some part of its CA chain. As others have said, each of the three browser engines uses their own CA collections.
Amos
