Howard Chu wrote, On 2008-08-12 19:12:
> That was the other point I was trying to make about global state... It's
> common practice to set up services with private CAs, so that random nosy
> clients cannot connect to them. In an OpenLDAP proxy installation you'll
> have one server cert/key and arb
> -Original Message-
> From: Eddy Nigg
> Sent: Wednesday, August 06, 2008 9:12 PM
> To: dev-tech-crypto@lists.mozilla.org
> Subject: Re: Comodo ECC CA inclusion/EV request
>
> Robin Alden:
> > Eddy Nigg said:
> >> In http://www.mozilla.org/projects/security/certs/policy/ section 7
> >> exp
bmo wrote, On 2008-08-12 19:36:
> I just pulled out a Windows Vista Machine -- with Firefox 2.0.15, and
> hit the page with our signed java applet on it -- SUCCESS -- I am
> provided a prompt that says the applet verified, do I want to run the
> code?
> I then installed FF 3.0.1 on the Vista machin
On Aug 8, 7:06 pm, Nelson Bolyard <[EMAIL PROTECTED]>
wrote:
> Gordon.Young wrote, On 2008-08-07 10:07:
>
> > the interesting thing is that even though the entire chain is passed
> > during SSL handshake, Firefox does not find the issuer of the "EE
> > issuing CA's" certificate. on this test server
Hi,
I have a certificate based mutually authenticated session between the
browser and a web server.
I would like to find out the certificate used presented by the browser
using a programmatic API.
I can get the server certificate by clicking the icon at the status-bar
window.
How do I find out t
Could you perhaps post your certificate chain?
-Kyle H
On Tue, Aug 12, 2008 at 7:25 PM, bmo <[EMAIL PROTECTED]> wrote:
> As a followup -- on Firefox 2.0.15 (Windows Vista), hitting our same
> page with an applet signed by our cert as with FF 3.0.1 on Mac,
> the dialog comes up as "Signature is v
I just pulled out a Windows Vista Machine -- with Firefox 2.0.15, and
hit the page with our signed java applet on it -- SUCCESS -- I am
provided a prompt that says the applet verified, do I want to run the
code?
I then installed FF 3.0.1 on the Vista machine. Reset the JVM cache;
hit the same page
As a followup -- on Firefox 2.0.15 (Windows Vista), hitting our same
page with an applet signed by our cert as with FF 3.0.1 on Mac,
the dialog comes up as "Signature is verified, do you want to run this
code?" - SUCCESS.
That machine has never seen our signed java applet before; it has no
certi
Julien R Pierre - Sun Microsystems wrote:
> Nelson,
>
> Nelson Bolyard wrote:
>> Julien R Pierre wrote on 2008-08-12 16:53 PDT:
>>> Robert Relyea wrote:
>>>
SECMOD_OpenUserDB() will open new database slots in the internal
database module.
>>> Unfortunately, those additional DBs can't be m
Nelson,
Nelson Bolyard wrote:
> Julien R Pierre wrote on 2008-08-12 16:53 PDT:
>> Robert Relyea wrote:
>>
>>> SECMOD_OpenUserDB() will open new database slots in the internal
>>> database module.
>> Unfortunately, those additional DBs can't be manipulated separately.
>
> huh?
> - key gens can b
Julien R Pierre wrote on 2008-08-12 16:53 PDT:
> Robert Relyea wrote:
>
>> SECMOD_OpenUserDB() will open new database slots in the internal
>> database module.
>
> Unfortunately, those additional DBs can't be manipulated separately.
huh?
- key gens can be done in each one separately,
- certs c
Bob,
Robert Relyea wrote:
> SECMOD_OpenUserDB() will open new database slots in the internal
> database module.
Unfortunately, those additional DBs can't be manipulated separately.
This is particularly a problem for trust.
___
dev-tech-crypto mailin
Howard,
Howard Chu wrote:
> Did any of those FIPS audits red-flag the above code snippet?
Of course not.
You seem to be mistaken about the purpose and scope of FIPS140 validation.
Only cryptographic code needs to be validated. The libnss initialization
code is not cryptographic code, and thus
On Aug 12, 3:18 pm, Nelson Bolyard <[EMAIL PROTECTED]>
wrote:
> Kyle Hamilton raised the possibility that the error you're seeing is from
> the JVM rather than from Mozilla code. If the complaint comes from Java,
> which has its own PKI and trusted cert store, then I'd guess that Java
> doesn't t
bmo wrote, On 2008-08-12 11:41:
> I've posted a PNG of the chain of trust as reported by the browser to
> http://www.tryventi.com/certissue/onehub_cert.png
That shows your cert to be valid. That's all that matters, with respect
to your cert.
You originally reported an error message that said:
On Aug 12, 1:40 pm, "Kyle Hamilton" <[EMAIL PROTECTED]> wrote:
> Er. Java on the Mac might use the system Keychain, instead of the
> Firefox security module. Try looking in Keychain Access for the
> UTN-USERFirst certificate, and then try installing it into Keychain
> Access, and try it again.
G
If you haven't already done so, read Dan Kaminsky's slides from his
talk at blackhat. http://www.doxpara.com/DMK_BO2K8.ppt
After he presents the DNS attack, he talks about SSL, certs, and what
browsers must do to get read security against DNS attacks from SSL and
certs.
If you don't have time to
Er. Java on the Mac might use the system Keychain, instead of the
Firefox security module. Try looking in Keychain Access for the
UTN-USERFirst certificate, and then try installing it into Keychain
Access, and try it again.
-Kyle H
On Tue, Aug 12, 2008 at 11:41 AM, bmo <[EMAIL PROTECTED]> wrote
On Aug 11, 9:42 pm, Nelson B Bolyard <[EMAIL PROTECTED]> wrote:
> bmo wrote, On 2008-08-11 20:22:
>
> > Summary: I suspect that there's something wrong with the BUILT-IN Root
> > CA cert UTN-USERFirst-Object in Firefox 3.0.1.
> Look at your cert in FF2. Look at the cert chain. Do you see only tw
Nelson B Bolyard wrote:
Howard Chu wrote, On 2008-08-11 20:07:
Nelson B Bolyard wrote:
Howard Chu wrote, On 2008-08-10 14:13:
It would make it impossible to use in e.g. OpenLDAP/nss_ldap because
applications would be unable to load their own configuration settings
after nss_ldap
On Aug 10, 6:43 am, Yevgeniy Gubenko <[EMAIL PROTECTED]>
wrote:
> Thanks Nelson for your reply.
> Yes, I was producing cert8.db.
> I used your link to recreate the certificates,
> but still got the same exception as before when fips mode was enabled in the
> stage of importing CA certificate file
Brian, something else you might like to try...
The "UTN-USERFirst-Object" Root CA happens to be cross-certified by
the "AddTrust External CA Root" Root CA. Both Roots are owned by Comodo, and
both are trusted by Firefox for the purpose of signing code.
You can download the cross-certificate fr
22 matches
Mail list logo
