My apologies, I thought we were discussing the alert protocol in
general, as relates to TLS and how to tell the client what's going on,
not specifically Firefox's/NSS's behavior. It's important to get an
understanding of what's going on before trying to decide whether any
change is necessary. I'm
On 10/07/2009 02:04 AM, Kyle Hamilton:
There is absolutely *NO*
requirement that the client send a currently-valid certificate, and
it's up to the server to detect that.
E, btw, that's not entirely correct because the client does perform
many checks. Obviously SHOULD the client send so
Kyle, what you apparently don't seem to get here is, that users of
Firefox (but also other browsers) experience the most difficulties
BEFORE the browser even tries to send anything. The browser doesn't say
"Hey listen buddy, this server wants that you authenticate with a
client certificat
If there's no client certificate, either "access_denied",
"bad_certificate", or "certificate_unknown". (I'd suggest the first,
since without a certificate you won't grant access.)
Your TLS implementation *can* check the status of the certificate
before it's even ever passed to the application lay
On 10/06/2009 01:14 AM, Konstantin Andreev wrote:
> Hello, Robert.
>
> On Mon, 10 Oct 2009, Robert Relyea wrote:
>> On 10/05/2009 09:27 AM, Konstantin Andreev wrote:
>>>
>>> Could you, please, advice, how should I handle CKA_NETSCAPE_DB for
>>> GOST private keys ?
>>
>> GOST private key? Are you ta
On 10/06/2009 08:44 PM, Kyle Hamilton:
On Mon, Oct 5, 2009 at 11:38 AM, Eddy Nigg wrote:
I don't think anyone is doubting that both FF and IE have some problems
with the way they handle client auth. Most of these problems can be
worked around on the server (use request, not require, throug
On Mon, Oct 5, 2009 at 11:38 AM, Eddy Nigg wrote:
>> I don't think anyone is doubting that both FF and IE have some problems
>> with the way they handle client auth. Most of these problems can be
>> worked around on the server (use request, not require, through an error
>> page if the cert you wa
On 2009-10-06 02:13 PDT, Konstantin Andreev wrote:
> Hello, Nelson.
>
> On Mon, 10 Oct 2009, Nelson B Bolyard wrote:
>> On 2009-10-05 02:20 PDT, Konstantin Andreev wrote:
>>> I need to decode some DER-encoded ASN1 CHOICE, but I can't manage
>>> this in a reasonable way.
>>
>> FYI, the documentatio
On Tue, Oct 6, 2009 at 3:04 AM, Konstantin Andreev wrote:
> Hello.
>
> One more question about decoding DER structures.
>
> Some PKCS#11 mechanisms (namely, CKM_GOSTR3410 ) accept DER-encoded
> parameters, which include DER tag-length prefix.
>
> I dissect these parameters from some wrapping DER s
On 10/06/2009 01:18 PM, Ian G:
Thing is, client certs is one of the few bright spots in security,
looking forward. They remove the passwords from the equation.
For once we are on the same page
And for those who can still dream, it opens the way for things like
signing of documents ;-)
On 06/10/2009 00:48, Robert Relyea wrote:
Fortunately, I don't believe this is the final word on the matter.:)
One would hope not :)
Thing is, client certs is one of the few bright spots in security,
looking forward. They remove the passwords from the equation. This
forces that phisher-at
Hello.
One more question about decoding DER structures.
Some PKCS#11 mechanisms (namely, CKM_GOSTR3410 ) accept DER-encoded parameters,
which include DER tag-length prefix.
I dissect these parameters from some wrapping DER structure by
SEC_QuickDERDecodeItem. Unfortunately, I could not find a
Hello, Nelson.
On Mon, 10 Oct 2009, Nelson B Bolyard wrote:
On 2009-10-05 02:20 PDT, Konstantin Andreev wrote:
I need to decode some DER-encoded ASN1 CHOICE, but I can't manage this in a
reasonable way.
FYI, the documentation on NSS's ASN.1 encoder and its two decoders is at
http://www.mozi
Hello, Robert.
On Mon, 10 Oct 2009, Robert Relyea wrote:
On 10/05/2009 09:27 AM, Konstantin Andreev wrote:
In the source code of the "softoken" library I see various conditional
manipulations with CKA_NETSCAPE_DB attribute of private keys.
Since I am adding a new (GOST) type of private key to
14 matches
Mail list logo
