DanKegel wrote, On 2009-03-18 09:06:
> On Mar 18, 4:05 am, Nelson B Bolyard wrote:
>>> Hmm. Can't find 3.12.2.
>>> http://www.mozilla.org/projects/security/pki/nss/nss-3.12.2/nss-3.12
>>> says it's at
>>> https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_1...
>>> but that di
Hi,
There was the question what the relationship of this root insertion request
to our Class 0 certificate is:
TC Class 0 certificates are used for testing purposes only.
TC TrustCenter intentionally did not ask for insertion of the "TC Class 0"
root certificate.
The "TC Universal" roots have not
On Mar 18, 4:05 am, Nelson B Bolyard wrote:
> > Hmm. Can't find 3.12.2.
> >http://www.mozilla.org/projects/security/pki/nss/nss-3.12.2/nss-3.12
> > says it's at
> >https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_1...
> > but that directory doesn't exist...
>
> Hmm.
> Well,
On 03/18/2009 04:39 PM, Rolf Lindemann:
There are a small number of external CAs that have been signed by our root.
They are not part of a formal audit but our Director of Security does audit
and review their CPS'.
There are no requirements for the external entities to undergo third party
audits
I'm in the process of porting over certificate path building code from
using Sun's API to using JSS as we are gradually migrating all of our
crypto over to JSS/NSS. I'm running some testing with
CryptoManager.buildCertificateChain(X509Certificate leaf).
If I grab a cert out of the db and pass i
You seem to misunderstand the reason there's friction here. (I do
understand your reasoning -- there are a lot of active certificates in
active use under that root, and you would like to see Thunderbird
support them.)
However:
Over the past several years, the process for getting CAs approved has
I think a reasonable default would be about 10 or 15 minutes, with a
refresh of the session (moving it back to 0 minutes) every successful
request?
-Kyle H
On Wed, Mar 18, 2009 at 6:56 AM, Joe Orton wrote:
> On Tue, Mar 17, 2009 at 10:26:35AM -0700, Robert Relyea wrote:
>> Cert selection for Fir
Alright, I have misremembered. But, this brings up a point:
What's the appropriate response to a 3,0 or 3,1 protocol server that
sends a 0-length ClientCertificateType Certificate request message?
Under a strict reading of the RFC (2246 is the one I'm looking at, for
TLS 1.0 (corresponding to 3,1
Hi,
>The comment from https://bugzilla.mozilla.org/show_bug.cgi?id=392024#c42
>and further in comment 44 suggests that there *are* external sub
>ordinate CA certificates. Do we know how many and if they were included
>in the audits? Also will they be part of the audits or are only the
>control
Hi,
>http://www.mozilla.org/projects/security/certs/pending/#TC%20TrustCenter
>the first entry refers to a root (TC TrustCenter Class 1 CA)
>with a key size of 1024 bit and which expires at the 2011-01-01. I think
>it's unreasonable to expect to have this root considered for inclusion
>and this
On Tue, Mar 17, 2009 at 10:26:35AM -0700, Robert Relyea wrote:
> Cert selection for Firefox does need to be improved. On the other hand,
> I found the larger memory footprint argument someone confusing. At the
> cost of about 20 bytes per client you would rather chew up CPU and
> network reso
Varga Viktor wrote, On 2009-03-18 06:07:
> Will be then the multiple OCSP inclusion? (This time ok, the software can
> only check the first, but later the others too.)
Yes, including multiples of these things won't hurt. Firefox won't
crash or refuse to connect because multiple URIs for these th
I agree completely. The RFC does not exclude it. It's not a bad idea.
> Does the Firefox handle it?
Alas, no. I believe it always uses the first one it finds in the cert,
and only that.
Will be then the multiple OCSP inclusion?
(This time ok, the software can only check the first, but later
Kyle Hamilton wrote, On 2009-03-18 04:20:
> On Wed, Mar 18, 2009 at 3:28 AM, Nelson B Bolyard wrote:
>> b) they have NO CA CERTIFICATES marked as trusted to issue client certs,
>> so they violate the SSL and TLS 1.0 protocols by sending out empty lists
>> of issuer names for CA certs, which give c
On 18/3/09 11:28, Nelson B Bolyard wrote:
Joe Orton wrote, On 2009-03-17 08:55:
It seems like a poor trade-off to require a larger memory footprint of
all the SSL servers in the world,
I hear that disk space is pretty cheap these days. 1TB == USD 85
rather than improve Firefox to be a bit
On Wed, Mar 18, 2009 at 3:28 AM, Nelson B Bolyard wrote:
> b) they have NO CA CERTIFICATES marked as trusted to issue client certs,
> so they violate the SSL and TLS 1.0 protocols by sending out empty lists
> of issuer names for CA certs, which give clients no information with which
> to determine
DanKegel wrote, On 2009-03-18 03:45:
> On Mar 15, 9:35 pm, Nelson B Bolyard wrote:
>> ...
>
> Thanks for the tips. I'm using various versions of Ubuntu, and also
> 3.12 compiled by hand. I'll come back with more info if I still have
> problems afterwards.
>
>> There were a bunch of leaks invol
On 03/18/2009 12:57 PM, Nelson B Bolyard:
CDP is different, in numerous ways and for numerous reasons.
Today, Firefox does not do fetching of certs based on CDP, but that is
being implemented now, and I expect it will try potentially all DPs
until it gets an acceptable answer or exhausts the list
Varga Viktor wrote, On 2009-03-09 06:12:
> Multiple caIssuers and OCSP in AIA field, multiple CDP:
>
> The RFC 5280 doesn’t exclude to have multiple OCSP and caIssuers field
> in the AIA. It is good for redundancy, for example to have two OCSP
> responder, when one of th
On Mar 15, 9:35 pm, Nelson B Bolyard wrote:
> ...
Thanks for the tips. I'm using various versions of Ubuntu, and also
3.12
compiled by hand. I'll come back with more info if I still have
problems afterwards.
> There were a bunch of leaks involving NSS "Error stacks". Most of them
> were fixed
On 03/18/2009 10:53 AM, Rolf Lindemann:
Hi,
It is planned to phase out the "TC Class 2 CA" and "TC Class 3 CA" 1024 bit
root certificates - which are already been included in Mozilla - before end
of 2010.
There is not yet a schedule for phasing out the "TC Class 2 CA II" and "TC
Class 3 CA II"
On 03/18/2009 10:46 AM, Rolf Lindemann:
Hi,
There was the question what the relationship of this root insertion request
to our Class 0 certificate is:
TC Class 0 certificates are used for testing purposes only.
TC TrustCenter intentionally did not ask for insertion of the "TC Class 0"
root cert
Joe Orton wrote, On 2009-03-17 08:55:
> It seems like a poor trade-off to require a larger memory footprint of
> all the SSL servers in the world,
I hear that disk space is pretty cheap these days. 1TB == USD 85
> rather than improve Firefox to be a bit smarter about caching/
> allowing-to-be-
Jean-Marc Desperrier wrote, On 2009-03-18 02:50:
> Robert Relyea wrote:
>> [...] At the
>> cost of about 20 bytes per client you would rather chew up CPU and
>> network resources?
>
> It's very far from being that small usually. It can't be that small if
> client authentication is used.
>
> Ther
Robert Relyea wrote:
[...] At the
cost of about 20 bytes per client you would rather chew up CPU and
network resources?
It's very far from being that small usually. It can't be that small if
client authentication is used.
There's an extension to TLS to offset the cost to the client (the serv
Hi,
It is planned to phase out the "TC Class 2 CA" and "TC Class 3 CA" 1024 bit
root certificates - which are already been included in Mozilla - before end
of 2010.
There is not yet a schedule for phasing out the "TC Class 2 CA II" and "TC
Class 3 CA II" root certificates.
We'll continue to use
Hi,
There was the question what the relationship of this root insertion request
to our Class 0 certificate is:
TC Class 0 certificates are used for testing purposes only.
TC TrustCenter intentionally did not ask for insertion of the "TC Class 0"
root certificate.
The "TC Universal" roots have not
27 matches
Mail list logo
