On Saturday 19 July 2008 19:30:51 Paul Hoffman wrote: > At 11:04 AM +0100 7/19/08, Rob Stradling wrote: > >I think that the ECDSA signature algorithms will only be supported in > > OpenSSL 0.9.9 (not yet released) and above. > > > >Try a recent openssl-SNAP-2008mmdd.tar.gz from > > ftp://ftp.openssl.org/snapshot instead. > > Will do. > > Non-mandatory question: what software/hardware did Comodo use to > generate the key pair?
Our ECC key pair was generated on a Utimaco SafeGuard CryptoServer (FIPS 140-2 Level 3/4). http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm#811 > What did you use to validate it? I would hope that, before the FIPS 140-2 certification was granted, Utimaco and/or NIST ensured that the Utimaco HSMs were only capable of generating valid ECC key pairs. After generating our ECC key pair, issuing the COMODO ECC Certification Authority root certificate, and issuing a test EV SSL Server Certificate, we checked... - that "openssl x509" in the latest OpenSSL-0.9.9 snapshot was able to parse the root certificate without complaining about anything. - that the certificate viewer in Windows Vista was able to view the root certificate without complaining about anything. (We of course had to manually add the root certificate to the Windows Trusted Root Store). - that IE7/Vista, Firefox 2/3 on several OSes, and "openssl s_client" were able to connect to the https://comodoecccertificationauthority-ev.comodoca.com test site without complaining about anything. (We of course had to manually add the root certificate to the Windows and Mozilla Trusted Root Stores). > As Mozilla (hopefully) starts seeing more ECDSA certs, having some > common tools would be very useful for all of us. Nelson has said: "Yes, NSS does this for every ECC signature it verifies. NSS recognizes a finite set of curves, and verifies that the base point is on the curve as a part of signature verification." Perhaps NSS's "checkcert" command-line utility would or should do the necessary checks? > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- Rob Stradling Senior Research & Development Scientist Comodo - Creating Trust Online Office Tel: +44.(0)1274.730505 Fax Europe: +44.(0)1274.730909 www.comodo.com Comodo CA Limited, Registered in England No. 04058690 Registered Office: 3rd Floor, 26 Office Village, Exchange Quay, Trafford Road, Salford, Manchester M5 3EQ This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the sender by replying to the e-mail containing this attachment. Replies to this email may be monitored by Comodo for operational or business reasons. Whilst every endeavour is taken to ensure that e-mails are free from viruses, no liability can be accepted and the recipient is requested to use their own virus checking software. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
