Re: Update on DigiNotar and Entrust

Nelson B Bolyard: > Eddy Nigg wrote, On 2008-06-24 14:56: > >> Another question is, what happens if the cross-signed certificate is >> revoked AND NSS recognizes the revocation. Would this effectively have >> the DigiNotar root show up as revoked? > > It would, UNLESS any of the following were true

Re: Update on DigiNotar and Entrust

Eddy Nigg wrote, On 2008-06-24 14:56: > Another question is, what happens if the cross-signed certificate is > revoked AND NSS recognizes the revocation. Would this effectively have > the DigiNotar root show up as revoked? It would, UNLESS any of the following were true: 1. A newer Entrust c

Re: NSS support in cURL

Ruchi Lohani wrote, On 2008-06-24 16:19: > Since NSS support has been added to cURL library, No kidding! When did that happen? > has this (link below) come to the notice of Mozilla dev? > > I hav

Re: Importing exporting JKS key to NSS db

Yevgeniy Gubenko wrote, On 2008-06-24 12:20: > Let me explain you my motivation: Thank you. > I have client java 1.6 application, which runs on windows platform. > The server java 1.6 application runs on Solaris 10 and should be > FIPS140-2 compliant. > Thus, all crypto on server side should pa

Re: NSS support in cURL

Ruchi Lohani wrote: Hi, Since NSS support has been added to cURL library, has this (link below) come to the notice of Mozilla dev? http://cool.haxx.se/cvs.cgi/curl/lib/README.NSS?rev=HEAD&content-type=text/vnd.viewcvs-markup

Re: NSS support in cURL

Ruchi Lohani: > Hi, > > Since NSS support has been added to cURL library, has this (link below) > come to the notice of Mozilla dev? > > http://cool.haxx.se/cvs.cgi/curl/lib/README.NSS?rev=HEAD&content-type=text/vnd.viewcvs-markup >

NSS support in cURL

Hi, Since NSS support has been added to cURL library, has this (link below) come to the notice of Mozilla dev? http://cool.haxx.se/cvs.cgi/curl/lib/README.NSS?rev=HEAD&content-type=te xt/vnd.viewcvs-markup Are there any plans going on to make the interface of curl and NSS easier and better

Re: Conflicts in type defines

On Tue, Jun 24, 2008 at 1:21 PM, Ruchi Lohani <[EMAIL PROTECTED]> wrote: > Sounds good. The workarounds just worked fine, I was working with those > till now and it wasn't a pain. > I checked out the NSS 3.12 release notes but didn't find this bug number > in the 'fixed bug' list ! Glad to know th

Re: Update on DigiNotar and Entrust

Nelson B Bolyard: > I am confident that removing the email trust flag from the Entrust root > that cross certified the Diginotar root key would effectively stop certs > issued by Diginotar from being treated as valid email certs. This is the > only method in which I am confident, today. > > We hav

Re: Importing exporting JKS key to NSS db

You can choose to use the NSS database on both sides if you wish and use the JDK's SunPKCS11 bridge from your Java application to get to the keys and certificates in the NSS keystore/certstore. Take a look at the source code of StrongKey (www.strongkey.org) on the client side (Symmetric Key Client

RE: Conflicts in type defines

Sounds good. The workarounds just worked fine, I was working with those till now and it wasn't a pain. I checked out the NSS 3.12 release notes but didn't find this bug number in the 'fixed bug' list ! -Ruchi -Original Message- From: Wan-Teh Chang [mailto:[EMAIL PROTECTED] Sent: Saturday

RE: Importing exporting JKS key to NSS db

Let me explain you my motivation: I have client java 1.6 application, which runs on windows platform. The server java 1.6 application runs on Solaris 10 and should be FIPS140-2 compliant. Thus, all crypto on server side should pass through the tunnel of PKCS#11 provider crypto API to NSS 3.11.4,

Re: https flow

"We have removed this functionality because we have decided that users are stupid." -Kyle H 2008/6/24 Kai Engert <[EMAIL PROTECTED]>: > Pawel P wrote: >> >> I want to overwrite default mozilla 1.9 behavior in https flow. >> I want to be informed about certificates (especially bad). >> I'll show m

Re: Where are the binaries for nss 3.12 and nspr 4.7.1?

hi, cannot you not just build the binaries yourself? http://www.mozilla.org/projects/security/pki/nss/nss-3.12/nss-3.12-release-notes.html#docs http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.html cvs co -r NSPR_4_7_1_RTM mozilla/nsprpub cvs co -r NSS_3_12_RTM mozill

Re: certutil or PKI for NSS 3.11.9

I will defer to your experience in the war-stories you've heard, Nelson. You've certainly seen a lot more people do stupid things in this area than I have, I'm sure. I tend to get involved only when people want to do PKI the right way :-). I am a strong believer that educating the general masses

Re: jss and new libraries in ff3

Abraham wrote: I deployed an applet that uses jss in order to get certs (and associated private keys) on firefox keystore and sign electronic documents. The applet works well in Firefox 2, but in Firefox 3 the browser crashes when my implementation of PasswordCallback provides the token passwo

Re: certutil or PKI for NSS 3.11.9

Arshad Noor wrote, On 2008-06-23 15:58: > Nelson, > > I think you may want to qualify your message in this paragraph, so as > to not mislead people who don't understand PKI very well. Arshad: I want people who don't understand PKI very well to get one message, loud and clear: Don't try to make

Re: jss and new libraries in ff3

hello Abraham, please open a bug on JSS. Attach stack trace, test program and steps to recreate. https://bugzilla.mozilla.org/enter_bug.cgi?product=JSS I will try to look at your issue then. >Could I avoid the applet to use the new dll's on %ProgramFiles%/Mozilla Firefox/ and use the old ver

Re: https flow

Pawel P wrote: I want to overwrite default mozilla 1.9 behavior in https flow. I want to be informed about certificates (especially bad). I'll show my own "certificate dialogs" to user and user will decide if accept certificate or not. In mozilla 1.8 I used nsIBadCertListener interface to do abo

Re: Update on DigiNotar and Entrust

Frank Hecker wrote, On 2008-06-20 17:26: > As promised, here is an update on where things stand with regard to > DigiNotar and Entrust. (Since a lot of this is based on information I > got from Nelson, he's invited to point out where I got things wrong.) > > First, a recap for those who've forg

Re: New SSL warning

Gervase Markham: > Eddy Nigg wrote: >> Jan Schejbal: >>> I did (now completely), but most of it seems to be a discussion about >>> CAs (not) revoking keys. As I understand it, if the CA does use only a >>> normal CRL (and not OCSP), firefox won't care. At least the >>> proof-of-concept attack on th

Re: New SSL warning

Eddy Nigg wrote: > Jan Schejbal: >> I did (now completely), but most of it seems to be a discussion about >> CAs (not) revoking keys. As I understand it, if the CA does use only a >> normal CRL (and not OCSP), firefox won't care. At least the >> proof-of-concept attack on the akamai key still worke