Re: Unbelievable!

2008-12-24 Thread Daniel Veditz
Paul Hoffman wrote: > At 1:16 AM +0200 12/24/08, Eddy Nigg wrote: >> Select Preferences -> Advanced -> View Certificates -> Authorities. >> Search for AddTrust AB -> AddTrust External CA Root and click >> "Edit". Remove all Flags. > > Doesn't this seem like a better solution than "sue Mozilla fo

Re: WebTrust

2008-12-24 Thread Eddy Nigg
On 12/25/2008 05:42 AM, David E. Ross: At one time, the WebTrust Web site included a page that listed certificate authorities that had obtained the WebTrust seal. The page was at. That link no longer deals with WebTrust seals. The URI redirects to

Re: WebTrust

2008-12-24 Thread Nelson B Bolyard
David E. Ross wrote, On 2008-12-24 19:42: > At one time, the WebTrust Web site included a page that listed > certificate authorities that had obtained the WebTrust seal. The page > was at . > > That link no longer deals with WebTrust seals. The URI redirects

WebTrust

2008-12-24 Thread David E. Ross
At one time, the WebTrust Web site included a page that listed certificate authorities that had obtained the WebTrust seal. The page was at . That link no longer deals with WebTrust seals. The URI redirects to

Re: Unbelievable!

2008-12-24 Thread Paul Hoffman
At 1:46 PM -0800 12/24/08, Nelson B Bolyard wrote: >Paul Hoffman wrote, On 2008-12-24 09:55: > > - Remove all trust anchors one-by-one >> - Add your single trust anchor >> - Sign the certs of any CA you want >> - Add those signed certs to the pre-loaded validation path (not root) > > cert list > >O

Re: Unbelievable!

2008-12-24 Thread Paul Hoffman
At 11:35 AM -0800 12/24/08, Kyle Hamilton wrote: >In the terminology of ASN.1 and PKIX, I want a standardized PKIX >extension that allows for a SEQUENCE OF Certificate within the >tbsCertificate structure. That makes no sense to me, but I would have to see a complete proposal to understand why yo

Re: Unbelievable!

2008-12-24 Thread sayrer
On Dec 23, 10:33 pm, Paul Hoffman wrote: > At 1:16 AM +0200 12/24/08, Eddy Nigg wrote: > > >Select Preferences -> Advanced -> View Certificates -> Authorities. Search > >for AddTrust AB -> AddTrust External CA Root and click "Edit". Remove all > >Flags. > > Put more rudely, why do you expect Dad

Re: JSS doesn't support AES key unwrapping

2008-12-24 Thread Nelson B Bolyard
alex.agra...@gmail.com wrote, On 2008-12-24 11:32: >> oh? This is the first report of this problem that I recall seeing. > > Here is a similar report that I was referring to: > http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/01028c36412d94bf Hmm. That message never r

Re: Unbelievable!

2008-12-24 Thread Nelson B Bolyard
Kyle Hamilton wrote, On 2008-12-24 14:53: > On Wed, Dec 24, 2008 at 2:46 PM, Eddy Nigg wrote: >> On 12/25/2008 12:36 AM, Kyle Hamilton: >>> To be honest, Mozilla doesn't distribute keytool with Firefox, which >>> means that I have to try to go into the (unbatchable) interface and >>> remove the fl

Re: dispute resolution procedures for Mozilla CA module

2008-12-24 Thread Nelson B Bolyard
Kyle Hamilton wrote, On 2008-12-24 14:42: > Thanks for the explanation. > > I do agree that the separation of responsibility would be good, since > Frank (appears to?) does the actual CA approval Yes > and you appear to be the one primarily who implements his directives as > regards the update

Re: Unbelievable!

2008-12-24 Thread Kyle Hamilton
On Wed, Dec 24, 2008 at 2:46 PM, Eddy Nigg wrote: > On 12/25/2008 12:36 AM, Kyle Hamilton: >> >> To be honest, Mozilla doesn't distribute keytool with Firefox, which >> means that I have to try to go into the (unbatchable) interface and >> remove the flags one. by. one. by. one. and then select th

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

2008-12-24 Thread Eddy Nigg
On 12/25/2008 12:40 AM, Nelson B Bolyard: The answer is not that simple. The cited wiki page explains PKCS#10 Certificate Signing Requests (CSRs). CSRs are ONE way in which certificates can be requested from a CA after generating a key pair, but they are not the only way. IIRC, FF implements t

Re: Unbelievable!

2008-12-24 Thread Eddy Nigg
On 12/25/2008 12:36 AM, Kyle Hamilton: To be honest, Mozilla doesn't distribute keytool with Firefox, which means that I have to try to go into the (unbatchable) interface and remove the flags one. by. one. by. one. and then select the next certificate and remove those trust flags, and the next,

Re: dispute resolution procedures for Mozilla CA module

2008-12-24 Thread Kyle Hamilton
On Wed, Dec 24, 2008 at 1:42 PM, Nelson B Bolyard wrote: > Kyle Hamilton wrote, On 2008-12-23 21:20: >> On Tue, Dec 23, 2008 at 6:16 PM, Nelson B Bolyard wrote: >>> Anyway, I would support the creation of a "CA certificate" non-code module. >> >> I think this would be a really good idea. I'm awa

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

2008-12-24 Thread Nelson B Bolyard
Kyle Hamilton wrote, On 2008-12-24 13:49: > Firefox does not send any private key. > http://en.wikipedia.org/wiki/Certificate_signing_request provides a > very good overview of what it does. The answer is not that simple. The cited wiki page explains PKCS#10 Certificate Signing Requests (CSRs).

Re: Unbelievable!

2008-12-24 Thread Kyle Hamilton
I'm also going to state that yes, I know this, because I HAVE DONE IT. And I wouldn't wish that hell on anyone who didn't have a DETAILED knowledge of how the X.509 model operates, and I wouldn't wish the user-interface hell on ANYONE. -Kyle H On Wed, Dec 24, 2008 at 2:36 PM, Kyle Hamilton wrot

Re: Unbelievable!

2008-12-24 Thread Kyle Hamilton
On Wed, Dec 24, 2008 at 1:46 PM, Nelson B Bolyard wrote: > Paul Hoffman wrote, On 2008-12-24 09:55: >> At 9:14 AM -0800 12/24/08, Kyle Hamilton wrote: >>> I'd like to see an extension that allows other certificates (for the >>> same public key) to be included in a certificate (self-signed or not).

Re: Unbelievable!

2008-12-24 Thread Nelson B Bolyard
Paul Hoffman wrote, On 2008-12-24 09:55: > At 9:14 AM -0800 12/24/08, Kyle Hamilton wrote: >> I'd like to see an extension that allows other certificates (for the >> same public key) to be included in a certificate (self-signed or not). > > Are you asking for a Mozilla extension or a PKIX extensio

Re: dispute resolution procedures for Mozilla CA module

2008-12-24 Thread Nelson B Bolyard
Kyle Hamilton wrote, On 2008-12-23 21:20: > On Tue, Dec 23, 2008 at 6:16 PM, Nelson B Bolyard wrote: >> Anyway, I would support the creation of a "CA certificate" non-code module. > > I think this would be a really good idea. I'm aware that my opinion > carries little weight, but I think that si

Re: Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

2008-12-24 Thread Kyle Hamilton
Firefox does not send any private key. http://en.wikipedia.org/wiki/Certificate_signing_request provides a very good overview of what it does. 2008/12/24 Fost1954 : > Dear Firefox Developers, > > I understand that this should be the right place to ask: > > Using Firefox we would like to generate T

Security-Critical Information (i.e. Private Key) transmitted by Firefox to CA (i.e. Thawte) during X.509 key/cert generation

2008-12-24 Thread Fost1954
Dear Firefox Developers, I understand that this should be the right place to ask: Using Firefox we would like to generate Thawte X.509 E-Mail Certificates. When generating the Private/Public key pair using Firefox as well as requesting the certificate, we are logged in on the Thawte Website. *O

Re: CA liability. was: Publishing CA information documents in PDF format

2008-12-24 Thread Nelson B Bolyard
Kyle Hamilton wrote, On 2008-12-24 08:39: > On Wed, Dec 24, 2008 at 4:25 AM, Ian G wrote: >> PS: on an earlier comment, check this out: >> >> http://blogs.technet.com/mmpc/archive/2008/11/06/malware-and-signed-code.aspx >> >> This is, IMHO, the sort of work that Mozilla should be treating as more

Re: Unbelievable!

2008-12-24 Thread John Nagle
As a user of SSL certificates in our SiteTruth system, which attempts to identify and rate the business behind a web site, we're concerned about CA reliability and trust. We've been using Mozilla's approved root cert list for our system, and are considering whether we should continue to do so.

Re: Unbelievable!

2008-12-24 Thread Kyle Hamilton
In the terminology of ASN.1 and PKIX, I want a standardized PKIX extension that allows for a SEQUENCE OF Certificate within the tbsCertificate structure. I'm trying to figure out how I'm supposed to extract all the certificates from my database without any version of keytool that I can find availa

Re: JSS doesn't support AES key unwrapping

2008-12-24 Thread alex . agranov
> oh?  This is the first report of this problem that I recall seeing. Here is a similar report that I was referring to: http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/01028c36412d94bf ___ dev-tech-crypto mailing list dev-tech

Re: Unbelievable!

2008-12-24 Thread Kyle Hamilton
On Tue, Dec 23, 2008 at 5:14 AM, Frank Hecker wrote: > Eddy Nigg wrote: >> >> Disabling the trust bits of "AddTrust External CA Root" could be a >> temporary measure to prevent damage to relying parties until Mozilla >> receives full report and disclosure from Comodo about its resellers and >> con

Re: Facts about Comodo Resellers and RAs

2008-12-24 Thread Eddy Nigg
On 12/24/2008 08:14 PM, Paul C. Bryan: Eddy: I personally believe you are working for the good of the PKI infrastructure, but you have to see that being a competitor to Comodo puts you in a perceived conflict of interest here. Is there no one you could put your contact(s) in touch with that is in

Re: Unbelievable!

2008-12-24 Thread Paul Hoffman
At 9:14 AM -0800 12/24/08, Kyle Hamilton wrote: >I'd like to see an extension that allows other certificates (for the >same public key) to be included in a certificate (self-signed or not). Are you asking for a Mozilla extension or a PKIX extension? If the latter, none is needed: it is already in

Re: Unbelievable!

2008-12-24 Thread Kyle Hamilton
On Wed, Dec 24, 2008 at 6:17 AM, Frank Hecker wrote: > Gen Kanai wrote: >> >> More discussion on this topic over at Programming Reddit: >> >> >> http://www.reddit.com/r/programming/comments/7lb96/ssl_certificate_for_mozillacom_issued_without/ > > Unfortunately the discussion devolved (as it always

Re: CA liability. was: Publishing CA information documents in PDF format

2008-12-24 Thread Kyle Hamilton
On Wed, Dec 24, 2008 at 4:25 AM, Ian G wrote: > PS: on an earlier comment, check this out: > > http://blogs.technet.com/mmpc/archive/2008/11/06/malware-and-signed-code.aspx > > This is, IMHO, the sort of work that Mozilla should be treating as more > important than today's case, because it evidenc

Re: CA liability. was: Publishing CA information documents in PDF format

2008-12-24 Thread David E. Ross
On 12/24/2008 3:36 AM, Ian G wrote: > Hi David, > > On 24/12/08 02:23, David E. Ross wrote: > {long diatribe by iang on liability snipped} > >> See the thread "Unbelievable" in this newsgroup. >> >> Now we have the situation in which Comodo allowed third-party CAs under >> its root to issue site

Facts about Comodo Resellers and RAs

2008-12-24 Thread Eddy Nigg
...as the story unfolds in front of us just before the holiday season, I'm going to provide more information and try to summarize the recent event(s). Nevertheless I wish to everybody happy Hanukkah and Xmas. Hereby the facts about Comodo and recent events: - Registration Authority (RA) of Com

Re: Unbelievable!

2008-12-24 Thread Frank Hecker
Eddy Nigg wrote: My blog article and exposure has provoked somebody to come forward with additional evidences concerning the reseller activities of Comodo. In order to protect the innocent I decided to provide this information confidentially to Frank Hecker for now. Stay tuned. To expand on w

Re: Unbelievable!

2008-12-24 Thread Frank Hecker
Gen Kanai wrote: More discussion on this topic over at Programming Reddit: http://www.reddit.com/r/programming/comments/7lb96/ssl_certificate_for_mozillacom_issued_without/ Unfortunately the discussion devolved (as it always does :-) into the merits of self-signed certificates. Oh well. Fr

Re: CA liability. was: Publishing CA information documents in PDF format

2008-12-24 Thread Ian G
On 24/12/08 12:36, Ian G wrote: Hi David, I would expect that Comodo would say that their RPA sets the scene, the baseline. I found this: http://www.comodo.com/repository/ http://www.comodo.com/repository/docs/relying_party.html Now, this might not be the right doc. But, let's assume it is, for

Re: CA liability. was: Publishing CA information documents in PDF format

2008-12-24 Thread Ian G
Hi David, On 24/12/08 02:23, David E. Ross wrote: {long diatribe by iang on liability snipped} See the thread "Unbelievable" in this newsgroup. Now we have the situation in which Comodo allowed third-party CAs under its root to issue site certificates without proper authentication of the subsc

Re: dispute resolution procedures for Mozilla CA module

2008-12-24 Thread Ian G
On 24/12/08 03:16, Nelson B Bolyard wrote: Ian G wrote, On 2008-12-23 05:58: 3. How to resolve a dispute. This is a Mozilla action& responsibility. Reverse-engineering and referring, I would suggest this as a teaser: a. The CA certificate "module owner" at Mozilla foundation is respons