I try to keep pretty close watch on the contents of my Key Chain. I'm pretty sure no other certs were added. And I'm positive no DOE Certificate Authority cert was added.
On Oct 26, 2006, at 12:01 PM, Paul Derby wrote and Michael Kluskens responded:
Well, here is the scenario that doesn't work with certificates from DOE Los Alamos National Labs which uses Entrust:
I send an email to Tom with my Thawte digital signature.
He receives, confirms the email is signed. He replies with a signed email.
His two Entrust certs go on my "login" keychain automatically.
And you can confirm no other certificates were added the first time you received signed email from him? Not that it would be surprising that no other certificates were added, it would be very surprising that you can confirm that, I certainly never noticed the extra certificates I was getting.
The issuer of his cert is: Organization - U.S. Government, organization unit - Department of Energy, Organization Unit - Los Alamos National Laboratory
What is the "Common Name" of the certificate that signed his certificate. You have to double click on the certificate and look down the list of information. First is Subject Name, then Issuer Name, inside that I find Common Name, which is the name of the certificate that signed that certificate. I don't expect their certificates to display differently, however, they could be incomplete.
On top of that you should also find URL's in the certificate information that permit you to get additional information, perhaps even the signing certificate in the case where it was truly not automatically included or auto downloaded by Keychain Access (strictly speaking I don't know what put the signing certificates in my keychain, I just know that when I find an untrusted certificate I also find it's signing certificate once I know what I'm looking for).
There are no URL's in this certificate. My Thawte certificate doesn't have embedded URL's either.