On 02/05/2009 06:36 PM, Vidal Pascal:
thank you for your reply. In fact, i have a certificate containing a AIA
extension. In this extension, there is the URL of my .p7c files which
includes 3 certificates. These certificates are required to build the
trusted chain.
As indicated, Firefox will no
Thanks to David and Kyle for supplying information about InstallShield
and its use of NSS for making Netscape Communicator compatible installers.
David Tiertant wrote, On 2009-02-05 07:35:
> Hi and thanks very much for the reply. Just to back things up a little
> bit, I'll try to illustrate what
David Tiertant wrote, On 2009-02-05 07:52:
> Interestingly enough, when I tried to include -d, signtool refused to do
> anything other than spit out its syntax help. The process runs when
> removing -d. It ends in an error (as you stated, probably related to
> trust flags), but it runs. Could th
Vidal Pascal wrote, On 2009-02-04 08:35 PST:
> i look for some information about firefox and the building trusted chain
> mecanism. I have a certificate containing two URL in the AIA extension:
>
> 1) p7c files containing cross-certificates
> 2) OCSP URL
PKCS#7 defines 6 content types: data, sig
David Stutzman wrote:
Is there a way to pretty print a certificate using JSS? I know NSS
has the functionality based on output from certutil -L -n "nickname".
you can code the same pretty print functionality but there is no
existing function that
duplicates certutil -l -n.
You can start wit
On 02/05/2009 08:36 PM, Gervase Markham:
Eddy: I don't think Frank is saying that you made the _same_ mistakes as
CertStar (out-sourcing validation etc. etc.), but that you made
_a_mistake_, just like they did. He then goes on to make the point that
making a mistake is not the end of the world.
On 5/2/09 18:34, Frank Hecker wrote:
Ian G wrote:
OK, I'll wait. I don't have an NNTP reader, or don't know what one is.
We'll forgive you the confusion. It's like saying "HTTP reader" instead
of "browser" :-)
Oh, it's newsgroup reader, got it, thanks.
Is it something in Firefox or Thunde
I'm attempting configuration of mod_nss to use an OCSP responder. My
OCSP responder uses a self signed certificate (call it OCSPcert) to
sign responses, my web server uses a certificate (call it SERVERcert)
signed by a trusted CA (call it CA1cert). I also have a second
trusted CA (call it CA2cert
Eddy Nigg wrote:
>> So IMO you get points for prompt disclosure and fixes, but in the end
>> you messed up just like Comodo and CertStar did.
>
> Nonono :-)
>
> I see the main differences as followed and I believe the main
> differences are policy wise (and allow me to comment on this since you
>
On 02/05/2009 04:13 PM, Frank Hecker:
I agree. I think this is a case where it definitely makes sense to have
this be a requirement. I also think the case of revocation on key
compromise is relatively clear, and I don't anticipate any major
problems finding policy language to deal with it.
Terr
On 02/05/2009 04:03 PM, Frank Hecker:
I agree that it would be unusual for a CPS to state that certificate
revocation could be done only at the request of the subscriber. However
I *can* imagine a CPS where this would be ambiguous. For example, your
StartCom CPS is very slightly ambiguous, since
David Stutzman wrote, On 2009-02-05 04:57:
> Nelson B Bolyard wrote:
>> axi...@googlemail.com wrote, On 2009-02-03 04:09:
>>> Is there a way to sign CRMF and create CMMF using JSS?
> CRMF requests aren't signed.
I interpreted the question to mean "Is there a way to issue a cert based
on the cont
Ian G wrote:
OK, I'll wait. I don't have an NNTP reader, or don't know what one is.
We'll forgive you the confusion. It's like saying "HTTP reader" instead
of "browser" :-)
Is it something in Firefox or Thunderbird?
You can read Mozilla newsgroups in Thunderbird by creating a "newsgroup
And now...
http://david.tiertant.com/installshield/007.jpg
This shows that I have to create the DBs using certutil -N -d . first or
I get the security authorization error when attempting to create the
certificate. So I delete the DBs, create new empty ones, then create a
certificate using tru
Hi,
thank you for your reply. In fact, i have a certificate containing a AIA
extension. In this extension, there is the URL of my .p7c files which
includes 3 certificates. These certificates are required to build the
trusted chain.
I explain:
I have two PKI domains : A and B.
A server in the d
Interestingly enough, when I tried to include -d, signtool refused to do
anything other than spit out its syntax help. The process runs when
removing -d. It ends in an error (as you stated, probably related to
trust flags), but it runs. Could this be a bug in signtool? This is
shown below.
ht
Yes, this is a basic overview of the process for anyone interested in
the problem. Thanks!
Kyle Hamilton wrote:
InstallShield is its own separate thing. Newer versions use the
Microsoft Installer (MSI) capability, but it is still made by Acresso
(spun off from Macrovision).
http://kb.acres
On 5/2/09 14:22, Eddy Nigg wrote:
On 02/05/2009 03:14 PM, Ian G:
Excellent, OK, so I went here:
https://lists.mozilla.org/listinfo/dev-security
and subscribed. I guess it is up to each person to do that.
Ian, this is the wrong list. The new list is called dev.security.policy,
not dev.securi
Hi and thanks very much for the reply. Just to back things up a little
bit, I'll try to illustrate what I would like to accomplish. I work for
a software company and we typically distribute our software on CD media.
The software is fairly specialized and only works when connected to a
server, e
Is there a way to pretty print a certificate using JSS? I know NSS has
the functionality based on output from certutil -L -n "nickname".
Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Eddy Nigg wrote:
On 02/05/2009 04:05 AM, Frank Hecker:
* In the near term I think we should make it a recommended practice that
CAs should revoke certificates whose private keys are known to be
compromised, as well as certificates for which subscriber verification
is known to be invalid.
Well,
Eddy Nigg wrote:
On 02/05/2009 04:23 AM, Kyle Hamilton:
Once a key is in compromised state, it can never become uncompromised
again. Enforcing this is part of the trust that I have in the
certification authorities -- and why I don't currently trust any of
them to tell me who anyone happens to b
On 02/05/2009 03:14 PM, Ian G:
Excellent, OK, so I went here:
https://lists.mozilla.org/listinfo/dev-security
and subscribed. I guess it is up to each person to do that.
Ian, this is the wrong list. The new list is called dev.security.policy,
not dev.security.
It seems that the new list d
Excellent, OK, so I went here:
https://lists.mozilla.org/listinfo/dev-security
and subscribed. I guess it is up to each person to do that.
Now, the list charter! As a starting point:
==
a. Discussion on security policy, governance, directions and
architecture in common for
Nelson B Bolyard wrote:
axi...@googlemail.com wrote, On 2009-02-03 04:09:
Is there a way to sign CRMF and create CMMF using JSS?
>
If there is, you'll find it somewhere in
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/crmf/
CRMF requests aren't signed. I think thi
On 02/05/2009 02:38 PM, Vidal Pascal:
Hi,
does anybody have a solution to import automatically (via AIA extension)
some certificates which are in a p7c files ?
What do you mean by "AIA" extension? If some CA certificates are chained
to the EE certificate and included in the PKCS7 file than th
Hi,
does anybody have a solution to import automatically (via AIA extension)
some certificates which are in a p7c files ?
It works with IE 6 & 7.
Best regards,
Pascal
--
View this message in context:
http://www.nabble.com/How-to-imoprt-a-p7c-files-into-firefox--tp21850565p21850565.html
Sent
On 02/04/2009 07:39 PM, Frank Hecker:
Re resellers, I think it is a fruitless task for us to try to move the
entire CA industry to change the way it operates as a business. Our main
interest is in having CAs maintain effective controls over their
authorized agents, whether these be actual reselle
On 02/04/2009 08:27 PM, Frank Hecker:
2. I understand that what happened in the case of StartCom was not
exactly the same as what happened in the case of Comodo/CertStar.
However it's part of web security basics to assume that whatever a
client sends to a server is untrusted and must be (re)verif
29 matches
Mail list logo
