Re: Comodo ECC CA inclusion/EV request

At 3:24 PM -0700 7/18/08, Wan-Teh Chang wrote: >On Fri, Jul 18, 2008 at 1:58 PM, Paul Hoffman <[EMAIL PROTECTED]> wrote: >> >>>There's a test site with a Comodo-issued ECC cert at >>> >>> https://comodoecccertificationauthority-ev.comodoca.com/ >> >> ...which no browser will let me into. :-) >

Re: Firefox 3; CAs; Slashdot; guess what happens next

At 5:15 PM -0700 7/18/08, Nelson B Bolyard wrote: >Paul Hoffman wrote, On 2008-07-18 16:16: >> > >It's gratifying to see the numbers of people who do understand PKI and >are refuting the usual ignorant nonsense. It appears to me that the >

Re: Comodo ECC CA inclusion/EV request

On Fri, Jul 18, 2008 at 1:58 PM, Paul Hoffman <[EMAIL PROTECTED]> wrote: > >>There's a test site with a Comodo-issued ECC cert at >> >>https://comodoecccertificationauthority-ev.comodoca.com/ > > ...which no browser will let me into. :-) > >>and the Comodo ECC root CA cert itself is available a

Re: Firefox 3; CAs; Slashdot; guess what happens next

Paul Hoffman: > What should happen next? All I know is that I've got a lots of work and its already weekend here...having most staff off. Next time I'll ask /. to kindly schedule their articles to mid-week ;-) -- Regards Signer: Eddy N

Re: Firefox 3; CAs; Slashdot; guess what happens next

Paul Hoffman wrote, On 2008-07-18 16:16: > It's gratifying to see the numbers of people who do understand PKI and are refuting the usual ignorant nonsense. It appears to me that the percentage of replies from people who "get it" is higher

Re: Comodo ECC CA inclusion/EV request

At 6:18 PM -0400 7/18/08, Frank Hecker wrote: >Paul Hoffman wrote: >> At 9:27 AM -0400 7/18/08, Frank Hecker wrote: >>> Paul Hoffman wrote: >>> > Has anyone validated the ECC paramters they used? >>> >>> Not that I'm aware. >> >> I think that's unfortunate. It is easy for all of us to test th

Firefox 3; CAs; Slashdot; guess what happens next

___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

ssh/sftp with nss/nspr?

Hi, I am considering retro-fitting an existing application with the NSS/NSPR libraries, however I also need ssh and sftp capability. I cannot find anywhere a discussion of these in relationship to NSS. Is there an existing way to do this? Or do I have to choose from: 1. Use NSS/NSPR for pla

Re: Public comment periods

Nelson B Bolyard wrote: > I'm not clear on the separate purposes of the two comment periods. > Is there a statement somewhere, of what their separate purposes are? > > What (if anything) are the would-be public participants supposed to do > differently in one period than in the other? My intent i

Re: Comodo ECC CA inclusion/EV request

Paul Hoffman wrote: > At 9:27 AM -0400 7/18/08, Frank Hecker wrote: >> Paul Hoffman wrote: >> > Has anyone validated the ECC paramters they used? >> >> Not that I'm aware. > > I think that's unfortunate. It is easy for all of us to test the > parameters for RSA certs, but few of us have software

Re: Public comment periods

I'm not clear on the separate purposes of the two comment periods. Is there a statement somewhere, of what their separate purposes are? What (if anything) are the would-be public participants supposed to do differently in one period than in the other? What is the event (other than the passage of

Re: A general question about libnss3

NSS also stands for "Name Service Switch". Fortunately, our convention of inserting the major version "3" in our shared library names avoid most naming conflicts with Name Service Switch's libraries (and OpenSSL's SSL library). So you can eliminate anything that doesn't match the pattern lib*3.so

Re: Comodo ECC CA inclusion/EV request

At 9:27 AM -0400 7/18/08, Frank Hecker wrote: >Paul Hoffman wrote: > > Has anyone validated the ECC paramters they used? > >Not that I'm aware. I think that's unfortunate. It is easy for all of us to test the parameters for RSA certs, but few of us have software for testing ECC certs. >There's

Re: Comodo ECC CA inclusion/EV request

On Fri, Jul 18, 2008 at 12:48 PM, Frank Hecker <[EMAIL PROTECTED]> wrote: > Wan-Teh Chang wrote: >> In your summary of information for CAs, you >> should replace "Modulus (key length)" by "EC parameters (named curve)" >> for ECC roots. > > I've revised the information checklist to reflect your comm

Re: Public comment periods

Frank Hecker: > > (Of course you or > anyone else could have been doing review prior to that, based on the > information in the bug.) > I don't think it to be very useful and efficient to start a review prior to the "information complete state" and have the CA confirmed by you for public discuss

Re: Comodo ECC CA inclusion/EV request

Wan-Teh Chang wrote: > In your summary of information for CAs, you > should replace "Modulus (key length)" by "EC parameters (named curve)" > for ECC roots. I've revised the information checklist to reflect your comments; see item 2.6: http://wiki.mozilla.org/CA:Information_checklist Please let

Re: A general question about libnss3

Ruchi Lohani wrote, On 2008-07-18 11:06: > It gives the version as NSS 3.12.0.2. > > The problem I am facing is when I build my program on ubuntu linking to > nss and nspr it works fine on Ubuntu but when I try to use the same > library built on Ubuntu on Suse its unable to resolve the symbols an

Re: A general question about libnss3

Kai Engert wrote: > Ubuntu has apparently chosen to use non-standard library names, > therefore you can't use your binary produced on Ubuntu on a system that > uses standard library names. Similar problems have bitten Labs' Weave extension. See bugs 442679, 442788, 442257. Justin ___

Re: 3rd party ECC module + NSS integration

On Fri, Jul 18, 2008 at 5:50 AM, David Stutzman <[EMAIL PROTECTED]> wrote: > > The ECC PKCS11 module that I added is > actually FIPS-approved. So, in my case least, I should be ok regardless > of the version of NSS I use or I *still* need a FIPS-approved and > enabled softtoken in addition to my F

Re: A general question about libnss3

Ubuntu has apparently chosen to use non-standard library names, therefore you can't use your binary produced on Ubuntu on a system that uses standard library names. Recompile. Kai Ruchi Lohani wrote: Hi, It gives the version as NSS 3.12.0.2. The problem I am facing is when I build my prog

Re: Comodo ECC CA inclusion/EV request

On Fri, Jul 18, 2008 at 6:27 AM, Frank Hecker <[EMAIL PROTECTED]> wrote: > Paul Hoffman wrote: >> Has anyone validated the ECC paramters they used? > > Not that I'm aware. There's a test site with a Comodo-issued ECC cert at > > https://comodoecccertificationauthority-ev.comodoca.com/ > > and the

RE: A general question about libnss3

Hi, It gives the version as NSS 3.12.0.2. The problem I am facing is when I build my program on ubuntu linking to nss and nspr it works fine on Ubuntu but when I try to use the same library built on Ubuntu on Suse its unable to resolve the symbols and I get the following messages When I do 'ld'

Re: Which piece of code prompts for master password?

Sune Mølgaard wrote: With sm trunk, I get a whole bunch of prompts for the master password on startup. https://bugzilla.mozilla.org/show_bug.cgi?id=348997 smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list de

Re: A general question about libnss3

Ruchi Lohani wrote: Hi, Can anybody tell me something about the various nss packages that are there in ubuntu (hardy). I see libnss3-0d libnss3-1d libnss3-1d-dbg libnss3-dev etc. I have the following in my /usr/lib lrwxrwxrwx 1 root root 13 200

Re: distribute our CA to users

Great detailed explanation, I've even gone further, here's a doc and screenshots of what I did based on your recomendations: http://www-public.it-sudparis.eu/~procacci/wiki/bin/view/Documentations/MozillaCCK and it works :-) , a least on windows, I need to test that on Linux and to check that

A general question about libnss3

Hi, Can anybody tell me something about the various nss packages that are there in ubuntu (hardy). I see libnss3-0d libnss3-1d libnss3-1d-dbg libnss3-dev etc. I have the following in my /usr/lib lrwxrwxrwx 1 root root 13 2008-07-17 16:47 libnss3.so

Re: Comodo ECC CA inclusion/EV request

On Thu, Jul 17, 2008 at 8:54 PM, Paul Hoffman <[EMAIL PROTECTED]> wrote: > Has anyone validated the ECC paramters they used? They use the NIST P-384 curve (secp384r1), which is in NSA Suite B. Wan-Teh ___ dev-tech-crypto mailing list dev-tech-crypto@lis

Re: Public comment periods

Eddy Nigg wrote: > Eddy Nigg: >> It's the time to discuss, which is obviously extended once there is a >> potential issue, it's the time one needs to review. > > > Should have been "It's *not* the time to discuss...' Understood. But note that from my point of view the start of the first public

Re: Decline in firefox usage due to lacking CA certificates

Steve wrote: > In article<[EMAIL PROTECTED]>, > [EMAIL PROTECTED] says... >> Think about it : Instead of protecting them, Fx has pushed them to take >> a decision that heightens their risk level, it would have been more >> secure to let them go though the warning and access the site with Fx >> rath

SecretKeySpec for AES key causes assert failure in PK11KeyWrapper.algFromType() in JSS

If I try to reconstitute an AES key using a SecretKeySpec and it's key bytes I get an AssertionException thrown from PK11KeyWrapper.algFromType(SymmetricKey$Type) when the cipher is initialized with the KeySpec instance. According to the doc at http://www.mozilla.org/projects/security/pki/jss/pro

Re: Public comment periods

Eddy Nigg: > It's the time to discuss, which is obviously extended once there is a > potential issue, it's the time one needs to review. Should have been "It's *not* the time to discuss...' -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org

Re: Public comment periods

Frank Hecker: > Unfortunately I think that that rate is too slow. The problem is that as > we clear existing requests new requests come in, and if we don't process > existing requests fast enough then the queue of unprocessed requests > will continue to grow without limit. Reading the above one mi

Re: Public comment periods

Eddy Nigg wrote: > I think that by committing every two weeks another CA to the public > comments period (or alternatively as you started to do, twice a one week > period) we can include and process potentially 26 CAs per year. This > should be sufficient by estimating the number of CAs which ar

Re: Comodo ECC CA inclusion/EV request

Paul Hoffman wrote: > Has anyone validated the ECC paramters they used? Not that I'm aware. There's a test site with a Comodo-issued ECC cert at https://comodoecccertificationauthority-ev.comodoca.com/ and the Comodo ECC root CA cert itself is available at http://crt.comodoca.com/COMODOEC

Re: distribute our CA to users

Jehan, I was able to get our certificate installed for all users by using Mozilla's Client Customization Kit (CCK - http://www.mozilla.org/projects/cck/firefox/). I installed an older version of Firefox - 2.0.0.14 I think - then installed the kit. I make a lot of customizations to the regular inst

RE: 3rd party ECC module + NSS integration

> I believe the NSS 3.11.4/NSPR 4.6.4 tags were chosen specifically > for their FIPS validation status. > > Since you need the bug fix in the upcoming NSS 3.11.10, you should > update the Dogtag wiki page to use NSS_3_11_BRANCH (until > NSS_3_11_10_RTM is created) and NSPR_4_7_1_RTM. You can > re

Re: Decline in firefox usage due to lacking CA certificates

Thorsten Becker: > There has been an earlier audit. Gerv raised concerns about that audit > in comment #12, they were adressed in comment #13. In july all > information were gathered and in august the information was finally > "confirmed complete". IMHO the public discussion phase could have > star

Re: Decline in firefox usage due to lacking CA certificates

Eddy, just to make it clear: I'm not working for a CA, I am just a user. Eddy Nigg schrieb: > Ohoommm, please note that the audit of T-Systems was completed only at > the end of the previous year, which is usually a bad time anyway > (holidays, vacations etc). Subsequently the process was star

Re: Decline in firefox usage due to lacking CA certificates

Thorsten Becker: > It would have made sense over a year ago when the whole process was > started - If Mozilla had said: "We wont get it in for over a year". But > at that time it was never clear that it would take more than a year. Ohoommm, please note that the audit of T-Systems was completed on

Re: distribute our CA to users

indeed, in the thread youm mentioned below, "tmountjr" seems to have the same needs as mine -> pushing a cert8.db containing our own CA to users, but although he "succeeded", I'm sorry , but I did not understand clearly how it could be done, tmountjr further details greatly appreciated ...

Re: Decline in firefox usage due to lacking CA certificates

On 18 Jul., 11:10, Steve <[EMAIL PROTECTED]> wrote: > In article <[EMAIL PROTECTED]>, tb-news-2006 > @arcor.de says... > > I know, however if you look at the costs of a new certificate vs. the > costs involved in training, waiting, applying workaround; purchasing a > new certificate would make sens

Re: Decline in firefox usage due to lacking CA certificates

Eddy Nigg schrieb: > Thorsten Becker: >> >> that's an excellent idea to schedule the start of a public discussion >> phase every two weeks. Additionally it would be great to have a "public >> queue", where every request that has passed the information gathering >> process would be placed. So every

Re: Decline in firefox usage due to lacking CA certificates

Steve schrieb: > I know, however if you look at the costs of a new certificate vs. the > costs involved in training, waiting, applying workaround; purchasing a > new certificate would make sense. It would have made sense over a year ago when the whole process was started - If Mozilla had said:

Re: Decline in firefox usage due to lacking CA certificates

In article <[EMAIL PROTECTED]>, tb-news-2006 @arcor.de says... > > We are on only one of almost 200 universities and research institutes in > Germany that rely on services provided by the "Deutsche Forschungsnetz > I know, however if you look at the costs of a new certificate vs. the costs in

Re: Decline in firefox usage due to lacking CA certificates

Thorsten Becker: > Eddy Nigg schrieb: > >> I think one CA in public discussion per time just fine, however the >> overall throughput could be accelerated. That would allow for a new CA >> every two weeks or so. > > that's an excellent idea to schedule the start of a public discussion > phase every

Re: Decline in firefox usage due to lacking CA certificates

Eddy, Eddy Nigg schrieb: > I think one CA in public discussion per time just fine, however the > overall throughput could be accelerated. That would allow for a new CA > every two weeks or so. that's an excellent idea to schedule the start of a public discussion phase every two weeks. Additi

Re: Decline in firefox usage due to lacking CA certificates

Steve schrieb: > In article <[EMAIL PROTECTED]>, > [EMAIL PROTECTED] says... >> Think about it : Instead of protecting them, Fx has pushed them to take >> a decision that heightens their risk level, it would have been more >> secure to let them go though the warning and access the site with Fx

Re: Decline in firefox usage due to lacking CA certificates

Steve schrieb: > May I ask why a university didn't just obtain another SSL certificate? > I mean you can obtain SSL certificates (RapidSSL is ~$20) cheap now. We are on only one of almost 200 universities and research institutes in Germany that rely on services provided by the "Deutsche Forschung

Public comment periods

Frank, right now there are three, maybe even four different CAs in the public discussion. I understand that the CAs are pressuring you to take action, however in order to seriously review the bug information, CP/CPS of the CAs, root certificates etc. as an effort from the community side, I thin