Brian Smith wrote:
https://bugzilla.mozilla.org/show_bug.cgi?id=367577
You need a custom build of NSS, with NSS_ECC_MORE_THAN_SUITE_B=1 e.g.:
The beef of the bug is the following in Nelson's comment :
"Based on http://www.ietf.org/ietf/IPR/certicom-ipr-rfc-3446.pdf, some
of the contributors have chosen to believe that all uses of ECC, except
the uses defined in the RFCs for TLS and IPSec, are potentially patent
infringing. Consequently, the "Basic ECC" builds that are used in all
Mozilla clients, use ECC only in the TLS protocol itself, and in cert
signature verification, and use only the curves named in that document."
My interpretation would be slightly different from the one of Nelson :
NSS has been implemented in a way carefully chosen to avoid Certicom's
patents, however if you limit yourself to using it in the few contexts
where Certicom has pledged to provide a royalty free license to anybody,
you are certain to take no risk at all.
Also, I updated the bug to reference the fact that the above document is
now obsolete, a more recent version is now
http://www.certicom.com/images/pdfs/certicom%20-ipr-contribution-to-ietfsept08.pdf
(referenced from https://datatracker.ietf.org/ipr/1004/).
The change is that it now includes CMS in the allowed usages for the
royalty free licence. So if the intended usage of the generated key is
inside Thunderbird for email, 'ec-sign' should be allowed.
But some might be worried that the caller of generateCRMFRequest might
intend to do something else with the signature key, and should be warned.
Using generateCRMFRequest, is it possible to include extension that are
requested for the certificate ? Like requesting the s/mime extended key
usage extension ?
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
