On 11/19/2013 10:40 AM, Wan-Teh Chang wrote: > Bob's answer is accurate. > > Note that CAs are more interested in SHA-2 based signature support > rather than plain SHA-2 support. So another way to track down the NSS > version is to look at the CVS history of the secvfy.c file: > > http://bonsai.mozilla.org/cvslog.cgi?file=mozilla/security/nss/lib/cryptohi/secvfy.c&rev=HEAD&mark=1.30 > > The relevant revisions are: > > 1.7 nelsonb%netscape.com2002-12-11 22:05 Support SHA256, SHA384, and > SHA512 hashes in NSS. > > 1.14 wtchang%redhat.com2005-08-12 16:50 Bugzilla Bug 296410: enlarge > the buffer size for message digest so that we can generate and verify > signatures that use SHA-512. > > 1.17 rrelyea%redhat.com2006-02-07 22:14 Bug 320583 Support for > SHA256/384/512 with ECC signing > > So it is safe to say that by mid 2006 (NSS 3.11.1, released on > 2006-05-05) the support of SHA-2 based signatures in NSS was already > stable and complete, covering both RSA and ECDSA signatures. This would map to*: Firefox 2.0.0.1 Thunderbird 1.5.0.10 Mozilla 1.9a1 Seamonkey 1.0.8
> Another > evidence of mature support is the FIPS 140-2 validation of NSS 3.11.4 > (http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm#814). > > A very conservative response would be NSS 3.11.4 > (http://www-archive.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-release-notes.html) > and later. This yields the same list (it looks like mozilla picked up 3.11.5 as the first nss 3.11 build it shipped). * Source, the cvs log for nss.h, the one file known to change for every release (because it has the NSS version numbers). > > Wan-Teh
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
