Nelson B Bolyard schrieb:
>
>> I think the solution that Jean-Marc outlined above would make some
>> sense: It would make it a bit easier to visit certain sites, but disturb
>> permanently if someone visits a site that has no trust anchor in firefox.
>
> There's a great deal of evidence, and co
Jean-Marc Desperrier wrote:
> This is something that I've seen also, and it makes me worried that the
> current Fx solution *doesn't* really work as advertised.
>
> The people see the warning, and the next minute, they start IE to access
> the site.
>
> Think about it : Instead of protecting th
joshuaaa wrote, On 2008-07-23 20:30:
> Sorry for the confusion. It would be greatly appreciated if anyone can
> shed some light on this subject. I've spent plenty of hours
> researching and haven't come up with anything promising.
>
> Anyone know if this can be accomplished through an extension?
On Jul 23, 7:40 pm, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
> joshuaaa wrote, On 2008-07-23 14:38:
>
>
>
> > On Jul 23, 4:20 pm, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
> >> joshuaaa wrote, On 2008-07-22 23:56:
>
> >>> I was under the impression (read somewhere here) that firefox 3 would
>
Thorsten Becker wrote, On 2008-07-23 03:38:
> One problem I have with the current implementation
> is: A user gets a big warning about an unknown and untrusted
> certificate. In the next step, he can add an exception. That process is
> a bit difficult. And it should be difficult. I totally agr
Eddy Nigg wrote, On 2008-07-23 14:30:
> Nelson B Bolyard:
>> Note that, when it sends the http get request to fetch the cert, it has
>> not yet validated the cert from which it got the http URL, so it doesn't
>> know if that URL is legitimate or from some hacker. It blindly fetches
>> whatever th
2008/7/23 David Sadler <[EMAIL PROTECTED]>:
>
> In mozilla-nss.spec BUILD_OPT is set to 1
>
> %build
> cd mozilla/security/nss
> export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
> export NSPR_INCLUDE_DIR=`nspr-config --includedir`
> export NSPR_LIB_DIR=`nspr-config --libdir`
> export BUILD_OPT=1
On Wed, Jul 23, 2008 at 2:43 PM, Daniel Stenberg <[EMAIL PROTECTED]> wrote:
>
> If you can stand a comparison that also involves GnuTLS, then the GnuTLS guys
> have one:
>
>http://www.gnu.org/software/gnutls/comparison.html
That's a useful page.
The code size table is missing libfreebl3 a
On Wed, Jul 23, 2008 at 5:30 PM, Ruchi Lohani <[EMAIL PROTECTED]> wrote:
> Found this in Ubuntu bugs
> https://bugs.launchpad.net/ubuntu/+source/libnss-db/+bug/238500
>
> Even though there are symlinks for each library but the SONAME differs
> for all on Ubuntu and any other
> Linux distribution. O
David Sadler wrote, On 2008-07-23 08:12:
>
> Is this IBM linux? Red Hat Linux? or ?
> (I ask because I know that Red Hat Linux supports mod_nss in Apache, but
> I was not aware that it was also being used in any IBM Linux. That would
> be good to know.)
>
> I am using SUSE 10 Linux, with Red
joshuaaa wrote, On 2008-07-23 14:38:
> On Jul 23, 4:20 pm, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
>> joshuaaa wrote, On 2008-07-22 23:56:
>>
>>> I was under the impression (read somewhere here) that firefox 3 would
>>> allow the cert database to be updated WHILE firefox was running. I'm
>>> ge
At 11:43 PM +0200 7/23/08, Daniel Stenberg wrote:
>If you can stand a comparison that also involves GnuTLS, then the GnuTLS guys
>have one:
>
> http://www.gnu.org/software/gnutls/comparison.html
There are a lot of question marks on that for NSS. Someone familiar
with all the NSS extensions
Found this in Ubuntu bugs
https://bugs.launchpad.net/ubuntu/+source/libnss-db/+bug/238500
Even though there are symlinks for each library but the SONAME differs
for all on Ubuntu and any other
Linux distribution. On Ubuntu
objdump -p /usr/lib/libnss3.so | grep SONAME
gives libnss3.so.1d where
IMO opinion IE does the right thing.
The problem is actually worse in the other direction since FF (at least 2.x)
forces you to manually install intermediate
certificates for PIV/FIPS201 cards in order for the selection process to work
correctly.
Although AIA CA Issuer is listed as a non-critica
joshuaaa wrote, On 2008-07-22 23:56:
> I was under the impression (read somewhere here) that firefox 3 would
> allow the cert database to be updated WHILE firefox was running. I'm
> getting the same old behavior in FF3. ie. remove cert while firefox is
> open, view cert manager and the cert still
Nelson B Bolyard:
>
> Note that, when it sends the http get request to fetch the cert, it has
> not yet validated the cert from which it got the http URL, so it doesn't
> know if that URL is legitimate or from some hacker. It blindly fetches
> whatever the server at that URL sends it. Quite a few
In mozilla-nss.spec BUILD_OPT is set to 1
%build
cd mozilla/security/nss
export CFLAGS="$RPM_OPT_FLAGS -fno-strict-aliasing"
export NSPR_INCLUDE_DIR=`nspr-config --includedir`
export NSPR_LIB_DIR=`nspr-config --libdir`
export BUILD_OPT=1
export LIBDIR=%{_libdir}
%ifarch x86_64 s390x ppc64 ia64
exp
On Wed, 23 Jul 2008, Ruchi Lohani wrote:
> Since a lot of open source softwares are using NSS, I wish to know whether
> we have some documentation on specifics of
>
> OpenSSL and NSS and the advantages NSS has over OpenSSL. If so, can anybody
> direct me over that or just give a brief comparison
On Jul 23, 4:20 pm, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
> joshuaaa wrote, On 2008-07-22 23:56:
>
> > I was under the impression (read somewhere here) that firefox 3 would
> > allow the cert database to be updated WHILE firefox was running. I'm
> > getting the same old behavior in FF3. ie. r
Hi all,
Since a lot of open source softwares are using NSS, I wish to know
whether we have some documentation on specifics of
OpenSSL and NSS and the advantages NSS has over OpenSSL. If so, can
anybody direct me over that or just give a brief comparison of both.
Thanks
Ruchi
_
Eddy Nigg wrote, On 2008-07-23 08:26:
> IE fetches CA certificates on its own if a service URL of the CA issues
> is present in the parent certificate, but NSS doesn't for now.
Rather, Firefox 3 does not use the facility of NSS that is capable of
fetching certs in that fashion.
NSS 3.12 has lo
Eddy Nigg wrote, On 2008-07-23 09:26:
> Well, the RFC requires the server to send any chained CA certificate up
> to the CA root. The server doesn't have to send the root CA certificate
> itself however.
Correct. The TLS RFC requires that the server sends the chain.
The fact that it is now po
Nelson B Bolyard:
> Eddy Nigg wrote, On 2008-07-23 08:26:
>
>> IE fetches CA certificates on its own if a service URL of the CA issues
>> is present in the parent certificate, but NSS doesn't for now.
>
> Rather, Firefox 3 does not use the facility of NSS that is capable of
> fetching certs in that
Dean wrote, On 2008-07-23 09:08:
> Thanks for the answers Wan-Teh and Nelson ... and I do agree with both
> of you that the work around would be an abuse of FIPs and I shouldn't
> do it if I hope to claim FIPs compliance.
>
> I'm clearly missing a piece of the puzzle.
>
> Essentially I have an
Peter Djalaliev:
> Ah, I see. From what I can see in the RFC, this usage is not really
> forbidden, but not really standard either. Generalizing my question,
> what kind of X509v3 extensions that NSS currently support? I am aware
> that CA often use these extensions in less-than-standard ways :)
On Jul 22, 7:15 pm, "Wan-Teh Chang" <[EMAIL PROTECTED]> wrote:
> On Tue, Jul 22, 2008 at 1:22 PM, Dean <[EMAIL PROTECTED]> wrote:
>
> > I've been reading around about key generation and key material
> > manipulation and am hearing that key material manipulations is not
> > allowed in FIPs mode. Th
Ah, I see. From what I can see in the RFC, this usage is not really
forbidden, but not really standard either. Generalizing my question,
what kind of X509v3 extensions that NSS currently support? I am aware
that CA often use these extensions in less-than-standard ways :)
Peter
On Jul 23, 11:2
Eddy Nigg:
> IE fetches CA certificates on its own if a service URL of the CA issues
/issues/issuer/
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: [EMAIL PROTECTED]
Blog: https://blog.startcom.org
___
dev-tech-crypto mailing list
dev-tech-cryp
Peter Djalaliev:
> Hello,
>
> I tried connecting to http://suppliers.intel.com (which redirects to
> https://supplier.intel.com/supplierhub) from Firefox 3 and IE7 and saw
> two different certificate chains when I tried to view the server
> certificate. IE7 recognized the root certificate as comin
Is this IBM linux? Red Hat Linux? or ?
(I ask because I know that Red Hat Linux supports mod_nss in Apache, but
I was not aware that it was also being used in any IBM Linux. That would
be good to know.)
I am using SUSE 10 Linux, with Red Hat Linux's mod_nss compiled on SUSE
Linux.
I have a qu
The correct initial URL is http://supplier.intel.com, redirected to
https://supplier.intel.com/supplierhub
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Hello,
I tried connecting to http://suppliers.intel.com (which redirects to
https://supplier.intel.com/supplierhub) from Firefox 3 and IE7 and saw
two different certificate chains when I tried to view the server
certificate. IE7 recognized the root certificate as coming from a
trusted issuer, whi
Jean-Marc Desperrier schrieb:
> So the solution I'd be in favor of is :
> - Declare the current SSL error screen a failure
> - Let people go through the SSL error screen easily, just like in Fx 2
> - After they have gone though the SSL error screen and as long as they
> stay on this SSL site, dis
I was under the impression (read somewhere here) that firefox 3 would
allow the cert database to be updated WHILE firefox was running. I'm
getting the same old behavior in FF3. ie. remove cert while firefox is
open, view cert manager and the cert still exists. Have I
misunderstood or am I doing som
34 matches
Mail list logo
