On Wed, Oct 7, 2009 at 4:11 PM, Ian G wrote:
I *know* that it does not check that the cert is issued by a CA that is
trusted for client auth, because in Firefox, NO CAs are trusted for
client auth. (Does that surprise you?)
Yes!
why? Firefox doesn't have clients, so it doesn't need to au
On 07/10/2009 22:09, Nelson B Bolyard wrote:
On 2009-10-07 10:32 PDT, Kyle Hamilton wrote:
The problem with this analysis is that I have yet to see any situation
where Mozilla's client certificate support meets *anyone's* needs.
Well, of course, we don't hear from the people for whom it works
Hi,
is there any way to overwrite the default behaviour that a remote SSL host
is verified against the CA list in the certdb?
thanks, Günter.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
On 07/10/2009 22:17, Anders Rundgren wrote:
I don't believe that client certificates in PCs will ever become mainstream
since
credential mobility and distribution issues have proved to be insurmountable;
not
technically but politically.
However, in mobile phones at least the mobility issue is
On 2009-10-07 13:33 PDT, Eddy Nigg wrote:
>> And in the absence of
>> that trust, checking a cert for revocation is pretty tough. :)
>
> Check it out. If the root is trusted and the client cert has an OCSP AIA
> URI it checks.
Given that Firefox trusts NO roots for issuing client certs, Firefox
On 10/07/2009 10:09 PM, Nelson B Bolyard:
Kyle, Eddy claims that Firefox checks the user's own local cert for
revocation. I claim it does not. I claim that it neither checks the
cert for revocation,
Did you check? Try OCSP hard fail...I'm not against it at all, just the
messages must improv
On 10/07/2009 10:17 PM, Anders Rundgren:
I don't believe that client certificates in PCs will ever become mainstream
since
credential mobility and distribution issues have proved to be insurmountable;
not
technically but politically.
However, in mobile phones at least the mobility issue is sol
I don't believe that client certificates in PCs will ever become mainstream
since
credential mobility and distribution issues have proved to be insurmountable;
not
technically but politically.
However, in mobile phones at least the mobility issue is solved (phone=token)
which
is also the reason
On 2009-10-07 10:32 PDT, Kyle Hamilton wrote:
>
> The problem with this analysis is that I have yet to see any situation
> where Mozilla's client certificate support meets *anyone's* needs.
Well, of course, we don't hear from the people for whom it works.
We only hear from those for whom it doe
On Wed, Oct 7, 2009 at 6:57 AM, Ian G wrote:
> On 07/10/2009 15:46, Anders Rundgren wrote:
>>
>> Ian G wrote:
>>> For Mozilla, which should be interested in end-user security, an
>>> entirely different subject to client-wallet security, this should be
>>> much closer to something interesting.
>>
On 2009-10-07 10:06 PDT, Nelson B Bolyard wrote:
> On 2009-10-07 04:09 PDT, Konstantin Andreev wrote:
>> On Tue, 06 Oct 2009, Wan-Teh Chang wrote:
>>> On Tue, Oct 6, 2009 at 3:04 AM, Konstantin Andreev
>>> wrote:
>
Please, advice, how can I save DER tag-length in item safely ?
>>> I suspect
On 2009-10-07 04:09 PDT, Konstantin Andreev wrote:
> On Tue, 06 Oct 2009, Wan-Teh Chang wrote:
>> On Tue, Oct 6, 2009 at 3:04 AM, Konstantin Andreev
>> wrote:
>>> Please, advice, how can I save DER tag-length in item safely ?
>> I suspect that the SEC_ASN1_ANY decoder modifier is what you want,
On Tue, 07 Oct 2009, Robert Relyea wrote:
On 10/06/2009 01:14 AM, Konstantin Andreev wrote:
On Mon, 05 Oct 2009, Robert Relyea wrote:
On 10/05/2009 09:27 AM, Konstantin Andreev wrote:
Could you, please, advice, how should I handle CKA_NETSCAPE_DB for GOST private
keys ?
GOST private key? Are
On Wed, 07 Oct 2009, Wan-Teh Chang wrote:
On Wed, Oct 7, 2009 at 4:09 AM, Konstantin Andreev wrote:
I've checked this. SEC_ASN1_ANY saves tag-length prefix, but ignores tag
number, thus matches anything.
If SEC_ASN1_ANY doesn't work for you, the only solution I have is to re-encode
the deco
I was probably unclear; I really meant PKI for external users like
on-line banking.
Microsoft have privately acknowledged that Java applets have replaced
CryptoAPI
in many of these applications while Mozilla seems to get hung on such input.
probably have less than 2% market for client-side PKI.
On 07/10/2009 13:24, Eddy Nigg wrote:
On 10/07/2009 07:25 AM, Kyle Hamilton:
Your comments suggest to me that NSS (and Firefox) *should not* be
enforcing any checks on the certificates, other than noting that
they're expired or revoked to the user in the certificate selection
dialog. If it has o
On 07/10/2009 15:46, Anders Rundgren wrote:
Ian G wrote:
For Mozilla, which should be interested in end-user security, an
entirely different subject to client-wallet security, this should be
much closer to something interesting.
It should but it isn't since nobody from Mozilla (unlike Microsof
On 07/10/2009 15:27, Gervase Markham wrote:
On 06/10/09 12:18, Ian G wrote:
It is somewhat of an eternal discussion at the pub as to why this part
of the SSL project moved to the "demo" stage and then stopped. I would
say that it is because the industrials that were interested in it
couldn't see
Ian G wrote:
For Mozilla, which should be interested in end-user security, an
entirely different subject to client-wallet security, this should be
much closer to something interesting.
It should but it isn't since nobody from Mozilla (unlike Microsoft), has
shown any interest in why government
On Wed, Oct 7, 2009 at 4:09 AM, Konstantin Andreev wrote:
>
> I've checked this. SEC_ASN1_ANY saves tag-length prefix, but ignores tag
> number, thus matches anything.
>
>>
>> If SEC_ASN1_ANY doesn't work for you, the only solution I have is to
>> re-encode the decoded SECItem.
>
> I think it's be
On 06/10/09 12:18, Ian G wrote:
It is somewhat of an eternal discussion at the pub as to why this part
of the SSL project moved to the "demo" stage and then stopped. I would
say that it is because the industrials that were interested in it
couldn't see how to monetarise the client cert, so they d
On 10/07/2009 01:24 PM, Eddy Nigg:
Most funny is, when you don't want to chose any of the certificates
for authentication and you hit "Cancel" Firefox nevertheless decides
to sent a "Go new cert" message. But it's so brain-dead today, when
you want to try it again and you had by mistake the d
On 10/07/2009 07:25 AM, Kyle Hamilton:
Your comments suggest to me that NSS (and Firefox) *should not* be
enforcing any checks on the certificates, other than noting that
they're expired or revoked to the user in the certificate selection
dialog. If it has only one certificate that matches the i
On Tue, 06 Oct 2009, Wan-Teh Chang wrote:
On Tue, Oct 6, 2009 at 3:04 AM, Konstantin Andreev wrote:
One more question about decoding DER structures.
Some PKCS#11 mechanisms (namely, CKM_GOSTR3410 ) accept DER-encoded parameters,
which include DER tag-length prefix.
I dissect these parameters
24 matches
Mail list logo
