Graham Leggett wrote:
> The way the process works is that you have to shepherd the patch through
> all the way until all the issues are resolved. And if someone raises
> an issue, don't assume that time will magically appear in their diary to
> fix your patch for you, that is your job.
I'm gett
On Sun, Nov 30, 2008 at 5:38 AM, Michael Ströder <[EMAIL PROTECTED]> wrote:
>> Sure there's ultimate trust.
>
> I disagree. You are making trust decision only in a certain context.
>
> To avoid getting too philosophical a PKI-related example: You would trust
> your employer to issue certs for encry
Kaspar Brand wrote:
And you've kept chasing this issue up on the dev list?
Graham, I'm getting tired of this conversation. Of course I brought up
SNI repeatedly on httpd-dev - in January, April, June, and August. But
if the feedback on the list is almost zero with each additional attempt,
then
Kaspar Brand wrote:
And you've kept chasing this issue up on the dev list?
Graham, I'm getting tired of this conversation. Of course I brought up
SNI repeatedly on httpd-dev - in January, April, June, and August. But
if the feedback on the list is almost zero with each additional attempt,
then
I must apologize; I was in error about keytool being able to
export a P12 file out of the JCE keystore - this cannot be
done by keytool yet - you can only import P12's in JDK6.
However, if you're still interested in keytool for generating
keys and certs, "keytool -help" or "man keytool" provide a
> And you've kept chasing this issue up on the dev list?
Graham, I'm getting tired of this conversation. Of course I brought up
SNI repeatedly on httpd-dev - in January, April, June, and August. But
if the feedback on the list is almost zero with each additional attempt,
then I'm losing interest i
Kaspar Brand wrote:
I'm quite familiar with that file, thanks for the pointer. Perhaps you
should have a look at
http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/[EMAIL PROTECTED]
and
http://mail-archives.apache.org/mod_mbox/httpd-dev/200810.mbox/[EMAIL PROTECTED]
before advisi
Graham Leggett wrote:
> The authoritative status of the httpd-2.2 backport is in the STATUS file
> in the httpd v2.2 branch, and that currently says this:
I'm quite familiar with that file, thanks for the pointer. Perhaps you
should have a look at
http://mail-archives.apache.org/mod_mbox/httpd-d
Ian G wrote:
(Client side certs are a lot more ready for mass-deployment than S/MIME
ones, but still have their foibles. One thing I discovered was that if
you have multiple certs, the KCM is not so well developed in Firefox. It
works if set to "choose-by-self," in which case we don't know whi
Kaspar Brand wrote:
Not really true, actually... for a fuller version of the story, see e.g.
The authoritative status of the httpd-2.2 backport is in the STATUS file
in the httpd v2.2 branch, and that currently says this:
Backport version for 2.2.x of updated patch:
http://pe
On 2 Dec, 22:11, Arshad Noor <[EMAIL PROTECTED]> wrote:
> I've never had to use ClientAuth with Sun's Directory Server,
> but here are some observations:
>
> 1) Keys are *never* stored in certN.db; they're always in keyN.db;
> only certificates are in certN.db. The association between the
>
Kaspar Brand wrote, On 2008-12-03 08:36 PST:
> http://sni.velox.ch/httpd-2.2.x-sni.patch is working pretty well for
> 2.2, though (have a look at https://sni.velox.ch).
Kaspar, Thank you for building and maintaining that web site.
It is the ONLY web site known to me that implements SNI.
I use it
Graham Leggett wrote:
> My understanding is that SNI is supported in httpd-trunk, soon to become
> httpd v2.3.0. The people who created the patch apparently didn't make it
> compatible with httpd v2.2, and it has blocked its backport.
Not really true, actually... for a fuller version of the stor
On 12/02/2008 11:24 PM, Ian G:
Liability: this is a huge issue that all should look towards. CAs set
liability to zero, approximately, in general. Mozilla should do the
same. Once this is done, it removes a false barrier that we keep
tripping over; and we can better add value once it is gone.
On 12/02/2008 08:16 PM, Ian G:
Right, CAs won't have the private keys, unless they do. I imagine a
corporate CA can do what it likes, and doesn't need the consent of the
user.
Sure, but they aren't in my list of CA roots.
And if my CA says "we
got your private keys", then you have the choice
On 12/02/2008 08:04 PM, Ian G:
Eddy Nigg wrote:
In case of Skype they are the software vendor and control the
software, the issuing instance and also the user
Right, they do everything. One advantage for today: in the case of Skype
we (the user) only have to pay for one organisation. In the ca
http://www.w3.org/2008/security-ws/venue.html
I'm going to this event not because of any deep interests in APIs for location
or battery power, but because there is a need to discuss how XML protocols like
DSKPP, KeyGen2, WASP, WebAuth, and similar should be integrated in browsers. I
don't beli
On 12/02/2008 07:53 PM, Ian G:
(Client side certs are a lot more ready for mass-deployment than S/MIME
ones, but still have their foibles. One thing I discovered was that if
you have multiple certs, the KCM is not so well developed in Firefox. It
works if set to "choose-by-self," in which case we
Ian G wrote:
Albeit, only to those interested in SSL certs. Conceivably this would
be made a lot more fluid if Apache were to release TLS/SNI, and to a
lesser extent, Microsoft's IIE.
My understanding is that SNI is supported in httpd-trunk, soon to become
httpd v2.3.0. The people who creat
Eddy Nigg wrote:
On 11/29/2008 02:37 PM, Eddy Nigg:
Which they are indeed permitted to do, as long as they state that in
their procedures, and their auditor agrees that they have met criteria.
Eddy, other than your need to be colourful, what was the point you were
trying to make?
Well, CAs M
Anders Rundgren wrote:
http://www.mozilla.org/projects/security/certs/policy
From what I have seen on this list there has been a lot of talk about
inclusion of various CA root certificates in the Mozilla distributions.
IMO, most of these CAs are insignificant except for SSL certs.
Well, to
Eddy Nigg wrote:
On 11/29/2008 01:23 PM, Ian G:
Eddy Nigg wrote:
On 11/27/2008 01:22 PM, Ian G:
How do we know whether the keys are managed properly? Good question!
Well, it's a closed architecture & codebase, but it has been
audited, so
it bears comparison to any CA which operates a closed/
Frank Hecker wrote:
Eddy Nigg wrote:
Getting a certificate happens at some CAs already during the
registration process (cough, cough).
This is an interesting point, which I think supports at least some of
Ian's arguments. What you've done is to provide a real incentive for
users to get clien
23 matches
Mail list logo
