Hi All,
I am trying to run NSS SSL sample program with a
self signed test certificate. I modified the client program
to initialize using NSS_NoDB_Init instead of NSS_Init.
An error occurs on the client side when validating the
certificate. The call to CERT_VerifyCertNow fails with
error code -8156
Nelson Bolyard wrote:
>
> Now, there's simply no way that we can deny that those users are in control
> of the CAs they trust. The collected trust information stored by NSS for
> them is their trust anchor (in my view).
>
I think it's possible that you've overstated the prominence of these
use
Robert Sayre wrote:
> Nelson Bolyard wrote:
>>
>> In effect, all the root CA certs are subordinate to the user himself.
>
> I can't accept this assertion, but I admit I am unable to articulate the
> reason. Maybe it's that users have never, ever cared about "root CA certs"?
But it has always been
Nelson Bolyard wrote:
>
> In effect, all the root CA certs are subordinate to the user himself.
I can't accept this assertion, but I admit I am unable to articulate the
reason. Maybe it's that users have never, ever cared about "root CA certs"?
- Rob
Paul Hoffman wrote:
> At 6:06 PM +0100 5/24/07, Gervase Markham wrote:
>> Paul Hoffman wrote:
>> > That makes the assumption that all domains from those countries are in
>>> the countries' TLDs; that is a bad assumption.
>>
>> You mean that these CAs will not be able to sign certificates for some
Paul Hoffman wrote:
>
> My feeling is that we would be better off not making this leap of
> limitation. Either someone is allowed to certify in all domain names, or
> in none.
...
>
> The easiest way to avoid such problems is to not get into the business
> of subsetting which domains a CA is
At 6:06 PM +0100 5/24/07, Gervase Markham wrote:
>Paul Hoffman wrote:
> > That makes the assumption that all domains from those countries are in
>> the countries' TLDs; that is a bad assumption.
>
>You mean that these CAs will not be able to sign certificates for some
>sites that they might want
I snagged some code off the list a while back to export a key/cert as a
PKCS12 file which I got working just fine for my application. There's a
deprecation warning generated from my use of the KeyGenerator class.
The problem stems from the decrypt method in EncryptedPrivateKeyInfo
which needs
Alaric Dailey wrote:
> There were CAs approved in the past with non-webtrust audits much older then
> that. Just see http://hecker.org/mozilla/ca-certificate-list
As a point of fact, that list is not a list of approved CAs, it's a list
of applications.
Gerv
__
Kaspar Brand wrote:
> > Alaric Dailey wrote:
> > I'd like to remind the participants, that StartCom has already one CA
root
> > in the NSS store which was approved less then a year ago:
> That doesn't imply everything was perfect with this application at that
> time. Have you ever seen a roo
Frank Hecker wrote:
> So the question is, if a government CA provided a statement roughly
> equivalent to the (public) WebTrust report, would that be sufficient for
> us? I think the answer is arguably yes, provided that we have the same
> general level of confidence in the organization doing th
Merely commenting on matters of fact:
Kaspar Brand wrote:
> That doesn't imply everything was perfect with this application at that
> time. Have you ever seen a root certificate with a nonRepudiation
> keyUsage extension? Yes, Startcom's current one does have that... Or,
> what RSA key size would
12 matches
Mail list logo
