* Nelson B. Bolyard:
> IMO, yes, it is enough evidence. But the position of those CAs, as I
> understand it, is that such publication is only a potential compromise.
> They require evidence that the published key is actually being used to
> attack the site. Otherwise, their customer agreement do
On Jan 20, 9:35 pm, Gervase Markham wrote:
> If you can give us a URL to a page which will always show the entire
> list you currently have, perhaps people in this group can add to it.
>
> Gerv
Thanks, Gerv! I went through each of the providers websites and found
their main support pages. I have
On 01/22/2009 03:50 AM, Julien R Pierre - Sun Microsystems:
Paul Hoffman wrote:
At 3:45 PM -0800 1/21/09, Nelson B Bolyard wrote:
Perhaps Mozilla should change its policy to require CAs to revoke certs
when the private key is known to be compromised, whether or not an
attack
is in evidence, as
On 01/22/2009 01:13 AM, Robert Relyea:
Eddy Nigg wrote:
Ah yes, maybe I should...it's in my nature to work around such
problems too many times. Basically if the CA certificates are imported
into the card, than those CAs take preference by NSS (for whatever
ever reason). Meaning, the builtin C
On Wed, Jan 21, 2009 at 5:50 PM, Julien R Pierre - Sun Microsystems
wrote:
> Paul Hoffman wrote:
>>
>> At 3:45 PM -0800 1/21/09, Nelson B Bolyard wrote:
>>>
>>> Perhaps Mozilla should change its policy to require CAs to revoke certs
>>> when the private key is known to be compromised, whether or n
Paul Hoffman wrote:
At 3:45 PM -0800 1/21/09, Nelson B Bolyard wrote:
Perhaps Mozilla should change its policy to require CAs to revoke certs
when the private key is known to be compromised, whether or not an attack
is in evidence, as a condition of having trust bits in Firefox.
Fully agree.
Jean-Daniel,
Jean-Daniel wrote:
Another possible reason is if you are comparing 32-bit NSS vs 64-bit
OpenSSL binaries. Regardless of assembly optimizations. The 64-bit code
is always a lot faster, even without optimizations.
Of course, but as my test exec is link on both library, so that coul
Nelson,
Nelson B Bolyard wrote:
Julien R Pierre - Sun Microsystems wrote, On 2009-01-21 15:03:
You are running Darwin, and freebl does not have any optimizations for
RSA on darwin. It has some assembly optimizations on most other x86
platforms. But on Darwin, freebl is built with plain C code
At 3:45 PM -0800 1/21/09, Nelson B Bolyard wrote:
>Perhaps Mozilla should change its policy to require CAs to revoke certs
>when the private key is known to be compromised, whether or not an attack
>is in evidence, as a condition of having trust bits in Firefox.
Fully agree.
--Paul Hoffman
--
dev
Nelson B Bolyard wrote:
Julien R Pierre - Sun Microsystems wrote, On 2009-01-21 15:03:
Even if you end up building NSS with optimizations, they use the regular
multiply instructions, which performs best on AMD chips, but not as well
on Intel CPUs. For Intel, one needs to use the SSE2 and abo
> You are running Darwin, and freebl does not have any optimizations
for
> RSA on darwin. It has some assembly optimizations on most other x86
> platforms. But on Darwin, freebl is built with plain C code, and no
> assembly at all. That is one reason why the code is running a lot slower.
>
> It's
Eddy Nigg wrote, On 2009-01-21 15:25:
> On 01/22/2009 01:07 AM, Nelson B Bolyard:
>> Yes, but some of the CAs were emphatic that they would not revoke the
>> certs unless their customers requested them to do so. As I understand it,
>> basically they said that their agreement with their customer di
On 01/22/2009 01:07 AM, Nelson B Bolyard:
Yes, but some of the CAs were emphatic that they would not revoke the
certs unless their customers requested them to do so. As I understand it,
basically they said that their agreement with their customer did not allow
them to revoke the cert without the
Eddy Nigg wrote, On 2009-01-21 07:49 PST:
> On 01/21/2009 03:41 PM, Nelson Bolyard:
>> Eddy Nigg wrote, On 2009-01-21 05:16:
>>> If the CA certificates are on the card, there are some odd behaviors.
>>
>> Oh? Please tell us more.
>
> Ah yes, maybe I should...it's in my nature to work around such
Julien R Pierre - Sun Microsystems wrote, On 2009-01-21 15:03:
> You are running Darwin, and freebl does not have any optimizations for
> RSA on darwin. It has some assembly optimizations on most other x86
> platforms. But on Darwin, freebl is built with plain C code, and no
> assembly at all.
Michael Bell wrote:
Eddy Nigg wrote:
On 01/21/2009 01:07 PM, Michael Bell:
Eddy Nigg wrote:
On 01/21/2009 11:57 AM, Michael Bell:
Which driver are you using on Linux? Is this an Aladdin eToken? Which
library did you choose as the PKCS11 module?
I use a Siemens CardOS
Eddy Nigg wrote:
Ah yes, maybe I should...it's in my nature to work around such
problems too many times. Basically if the CA certificates are imported
into the card, than those CAs take preference by NSS (for whatever
ever reason). Meaning, the builtin CA root isn't visible in the cert
man
Jean-Daniel,
Jean-Daniel wrote:
I did an other simple test that call SECKEY_CreateRSAPrivateKey() in a
loop and then call the OpenSSL equivalent to compare both functions.
NSS does not perform as bad as I thought first, but it remain slower
than what I expect on a modern machine.
See the resul
Jean-Marc Desperrier wrote, On 2009-01-21 01:13 PST:
> Now did we not receive promises by the CAs that they were *actively*
> working to solve the problem and get all sites to replace their cert ?
Yes, but some of the CAs were emphatic that they would not revoke the
certs unless their customers
Jean-Marc Desperrier wrote:
Now did we not receive promises by the CAs that they were *actively*
working to solve the problem and get all sites to replace their cert ?
I don't know.
Have any of those certs been revoked ?
___
dev-tech-crypto mailing l
On 01/21/2009 10:30 PM, Nelson B Bolyard:
It would be useful to know the complete contents of any key usage and
extended key usage extensions present.
That would have been:
Key Usage: Digital Signature, Non Repudiation, Key Encipherment, Data
Encipherment
Extended Key Usage: TLS Web Client Au
Eddy Nigg wrote, On 2009-01-21 07:59:
> I've received your certificate by email privately and there is nothing
> special to see there. The only "issue" I saw was that Non Repudiation in
> listed in the key usage. I'm not sure, but I saw once a bug suggesting
> to disallow it for S/MIME.
It wou
Michael Bell wrote, On 2009-01-21 08:29:
> Nelson Bolyard wrote:
>
>> I think it would be more useful to find out if FF/TB can find the cert(s)
>> for the issuer of your cert, and what extensions (if any) it finds in
>> your cert, and the contents of those extensions.
>
> Well, after I started fr
In https://bugzilla.mozilla.org/show_bug.cgi?id=472975 georgi said in comment
12:
offtopic question:
afaict when doing a ssl connection, the server *doesn't sign* anything with his
private key (in most cases). though the server needs it for finding the session
secret.
are attacks with symmetr
>Is this useful for people?
Yes. If for some reason you need to stop supporting this wonderful, please let
this list know in advance. I, for one, would be willing to take it over.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https:
Nelson Bolyard wrote:
> I think it would be more useful to find out if FF/TB can find the cert(s)
> for the issuer of your cert, and what extensions (if any) it finds in
> your cert, and the contents of those extensions.
Well, after I started from scratch with a TB from Mozilla the purpose
was co
On 01/21/2009 04:50 PM, Johnathan Nightingale:
Is this useful for people? My sense is that we've been lacking this
information (except from paid sources) for some time, but I'd like to
hear whether anyone in this group finds it helpful to have.
I already left a message at the blog, but short n
Eddy Nigg wrote:
>
>> On 01/21/2009 03:36 PM, Michael Bell:
>
>> Sorry for wasting your time
>
> No waste was produced ;-)
Good to know.
> Also the CA certificates must be imported into your profile for this to
> work and have the correct trust bits set.
This is already the case.
> Besides tha
On 01/21/2009 03:36 PM, Michael Bell:
Hi,
I think we or better I should stop here. OpenSC clearly announced that
CardOS V4.3B is only supported if the card was created with OpenSC. So
you were hundert percent right. It looks like only the error message is
not fully correct. I read on an OpenSC p
On 01/21/2009 03:41 PM, Nelson Bolyard:
Eddy Nigg wrote, On 2009-01-21 05:16:
On 01/21/2009 03:10 PM, Michael Bell:
Do you mean that all CA certificates must be present if the card is
removed from the machine?
If the CA certificates are on the card, there are some odd behaviors.
Oh? Please
On Jan 21, 2:36 pm, Nelson Bolyard
wrote:
> Jean-Daniel wrote to mozilla.dev.security on 2009-01-20 10:42 PST:
>
> > Hello, I'm trying to generate a keypair using nss, but I encounter some
> > issue. My key generation can take up to 30 seconds on a recent machine
> > (Core 2 Duo 2.2 Ghz) (most gen
On 21/1/09 15:50, Johnathan Nightingale wrote:
Hi folks,
I just posted a blog entry here about a side project I've had running
for a little while:
http://blog.johnath.com/2009/01/21/ssl-information-wants-to-be-free/
The very short version is that I crawled the top 1M sites (according to
Alexa)
Hi folks,
I just posted a blog entry here about a side project I've had running
for a little while:
http://blog.johnath.com/2009/01/21/ssl-information-wants-to-be-free/
The very short version is that I crawled the top 1M sites (according
to Alexa) to harvest some basic SSL information, inc
Michael Bell wrote, On 2009-01-21 05:36:
> I think we or better I should stop here. OpenSC clearly announced that
> CardOS V4.3B is only supported if the card was created with OpenSC. So
> you were hundert percent right. It looks like only the error message is
> not fully correct. I read on an Ope
Michael Bell wrote, On 2009-01-21 04:12:
> Michael Bell wrote:
>
>> I analysed the situation and discovered that the purpose of the cert
>> on Windows is "Client, sign, encrypt" but the purpose on Linux is
>> "".
Can you see the actual contents of the cert itself inside FF's certificate
manager
Eddy Nigg wrote, On 2009-01-21 05:16:
> On 01/21/2009 03:10 PM, Michael Bell:
>> Do you mean that all CA certificates must be present if the card is
>> removed from the machine?
>
> If the CA certificates are on the card, there are some odd behaviors.
Oh? Please tell us more.
_
Jean-Daniel wrote to mozilla.dev.security on 2009-01-20 10:42 PST:
> Hello, I'm trying to generate a keypair using nss, but I encounter some
> issue. My key generation can take up to 30 seconds on a recent machine
> (Core 2 Duo 2.2 Ghz) (most generation take less the 10 seconds, and
> sometimes le
Hi,
I think we or better I should stop here. OpenSC clearly announced that
CardOS V4.3B is only supported if the card was created with OpenSC. So
you were hundert percent right. It looks like only the error message is
not fully correct. I read on an OpenSC page that there is a secret
StartKey whic
On 01/21/2009 03:10 PM, Michael Bell:
Do you mean that all CA certificates must be present if the card is
removed from the machine?
If the CA certificates are on the card, there are some odd behaviors.
Instead I suggest that you REMOVE the CA certificates from the card
entirely and install t
On 01/21/2009 02:56 PM, Michael Bell:
Okay, I removed my Thunderbird config and started from scratch. The
behaviour does not change. How does Thunderbird determine the purpose?
Does it parse the extensions or does it query the PKCS#11 token?
The key usage is defined in the certificate itself.
Eddy Nigg wrote:
>
> On 01/21/2009 01:19 PM, Michael Bell:
>> No, I use the Siemens software on Windows and OpenSC on Linux.
>
> To all of my knowledge they aren't compatible.
After I removed my whole thunderbird profile I am one step further. The
certificate displays the correct purpose but it s
Michael Bell wrote:
> Michael Bell wrote:
>
>> I analysed the situation and discovered that the purpose of the cert
>> on Windows is "Client, sign, encrypt" but the purpose on Linux is
>> "". I checked the cert with OpenSSL and noticed that the
>> certificate does not include the usual nsCertType
On 01/21/2009 01:19 PM, Michael Bell:
No, I use the Siemens software on Windows and OpenSC on Linux.
To all of my knowledge they aren't compatible.
The card is produced with the Windows software. "pkcs15-tool -c" from
OpenSC on Linux works.
Does that command list the certificates which wher
In the past we have discussed Skype a lot, and I've held it out as a
great example, possibly the leading example of *architecture*. Here's
some news on how its light is slowly dimming:
https://financialcryptography.com/mt/archives/001105.html
Also, here is a great resource for those who wan
Michael Bell wrote:
> I analysed the situation and discovered that the purpose of the cert
> on Windows is "Client, sign, encrypt" but the purpose on Linux is
> "". I checked the cert with OpenSSL and noticed that the
> certificate does not include the usual nsCertType extensions.
Can I remove th
Eddy Nigg wrote:
>
> On 01/21/2009 01:07 PM, Michael Bell:
>> Eddy Nigg wrote:
>>
>>> On 01/21/2009 11:57 AM, Michael Bell:
>>>
>>> Which driver are you using on Linux? Is this an Aladdin eToken? Which
>>> library did you choose as the PKCS11 module?
>>
>> I use a Siemens CardOS V4.3B Smartcard. It
On 01/21/2009 01:09 PM, Michael Bell:
Michael Bell wrote:
I analysed the situation and discovered that the purpose of the cert
on Windows is "Client, sign, encrypt" but the purpose on Linux is
"". I checked the cert with OpenSSL and noticed that the
certificate does not include the usual nsCertT
On 01/21/2009 01:07 PM, Michael Bell:
Eddy Nigg wrote:
On 01/21/2009 11:57 AM, Michael Bell:
Which driver are you using on Linux? Is this an Aladdin eToken? Which
library did you choose as the PKCS11 module?
I use a Siemens CardOS V4.3B Smartcard. It is a real Smartcard and no
USB token.
U
Michael Bell wrote:
>
> I analysed the situation and discovered that the purpose of the cert
> on Windows is "Client, sign, encrypt" but the purpose on Linux is
> "". I checked the cert with OpenSSL and noticed that the
> certificate does not include the usual nsCertType extensions.
Can this be in
Eddy Nigg wrote:
> On 01/21/2009 11:57 AM, Michael Bell:
>
> Which driver are you using on Linux? Is this an Aladdin eToken? Which
> library did you choose as the PKCS11 module?
I use a Siemens CardOS V4.3B Smartcard. It is a real Smartcard and no
USB token. I use the OpenSC PKCS#11 module.
Best
Gen Kanai wrote:
>
> Have you tried downloading Thunderbird for Linux from Mozilla and trying
> that?
Yes, after your recommendation I downloaded Thunderbird 2.0.0.19
directly from Mozilla. The HW version of the internal PKCS#11 token on
Windows and Linux are no identical. Nevertheless the certif
What's going on with the CA Schedule and public discussions of CAs?
There was once a schedule at https://wiki.mozilla.org/CA:Schedule which
is unrealistic at best?
What's going on with Frank? I'm somewhat worried!
Whatever prevents from continuing this work, I think it's highly
unprofessional
On 01/21/2009 11:57 AM, Michael Bell:
I use a Smartcard with a X.509 certificate (Siemens CardOS). This
certificate works with Thunderbird 2.0.0.19 on Microsoft Windows XP
SP3. If I use the same smartcard with Linux and Thunderbird 2.0.0.19
(more exactly icedove from Debian unstable) then I can c
On 01/20/2009 06:50 PM, Ian G:
This is what I believe Mozilla cares.
Mozilla doesn't need to resolve disputes, it must know
what to do under certain circumstances in order to protect itself and
its users. Those are two different kind of things.
OK, so let's say you are Mozo, coz you know what
On Jan 21, 2009, at 6:57 PM, Michael Bell wrote:
SP3. If I use the same smartcard with Linux and Thunderbird 2.0.0.19
(more exactly icedove from Debian unstable) then I can configure all
the necessary stuff (e.g. assign the cert to the mail account) but I
cannot use the cert to sign or encrypt
Hi,
I use a Smartcard with a X.509 certificate (Siemens CardOS). This
certificate works with Thunderbird 2.0.0.19 on Microsoft Windows XP
SP3. If I use the same smartcard with Linux and Thunderbird 2.0.0.19
(more exactly icedove from Debian unstable) then I can configure all
the necessary stuff (e
Gervase Markham wrote:
Jean-Marc Desperrier wrote:
But by far the most interesting thing on the site is the list of ssl
sites that are *still* using compromised keys, established through that
extension :
http://www.codefromthe70s.org/sslblacklist-badcerts.aspx
Hmm. walmart.com is the big hitte
57 matches
Mail list logo
