On Wed, Jan 4, 2012 at 3:51 PM, Brian Smith wrote:
>
> But, it is a little distressing that Google Chrome seems to avoid libpkix
> whenever possible, ...
This is not true. In fact, Google Chrome is an early adopter of libpkix,
and works very hard to fix or work around the bugs in libpkix. (Goog
Robert Relyea wrote:
> On 01/04/2012 04:18 PM, Brian Smith wrote:
> Are you actually fetching intermediates?
>
> In the cases where you fetch the intermediates, the old code will not
> work! We don't fetch the intermediate if we already have it, or it's
> already sent in the SSL chain.
>
> If you
>> I am curious as to how smartcard management is supposed to work for Linux.
>> It seems to me that it would be ideal for Firefox to support the shared DB
>> on Linux. Are there OS-level tools for managing the shared DB. For example,
>> is there an OS-level UI for adding/removing PKCS#11 modul
On 01/04/2012 05:17 PM, Brian Smith wrote:
> Robert Relyea wrote:
>> On 01/04/2012 09:04 AM, Anders Rundgren wrote:
There is a capi module in the NSS source tree, but it purposefully
does not surface removable CAPI modules under the assumption that
such devices already have PKCS #11
On 01/04/2012 04:18 PM, Brian Smith wrote:
> Brian Smith wrote:
>> Robert Relyea wrote:
>> When I browse with libpkix enabled (which also enables the
>> intermediate fetching), connecting to HTTPS websites (like
>> mail.mozilla.com)
> ... is much slower, at least when the browser starts up. We may
On 01/04/2012 03:51 PM, Brian Smith wrote:
> I am concerned that the libpkix code is hard to maintain and that
> there are very few people available to maintain it. If we have a group
> of people who are committed to making it work, then Mozilla relying on
> libpkix is probably workable. But, it is
On 01/04/2012 03:51 PM, Brian Smith wrote:
> Ryan Sleevi wrote:
>> IIRC, libpkix is an RFC 3280 and RFC 4158 conforming implementation,
>> while non-libpkix is not. That isn't to say the primitives don't exist -
>> they do, and libpkix uses them - but that the non-libpkix path doesn't use
>> them p
Robert Relyea wrote:
> On 01/04/2012 09:04 AM, Anders Rundgren wrote:
> >> There is a capi module in the NSS source tree, but it purposefully
> >> does not surface removable CAPI modules under the assumption that
> >> such devices already have PKCS #11 modules.
While it may be true that they have
Brian Smith wrote:
> Robert Relyea wrote:
> When I browse with libpkix enabled (which also enables the
> intermediate fetching), connecting to HTTPS websites (like
> mail.mozilla.com)
... is much slower, at least when the browser starts up. We may be able to fix
this with persistent caching of in
Robert Relyea wrote:
> 7. libpkix can actually fetch CRL's on the fly. The old code can only
> use CRL's that have been manually downloaded. We have hacks in PSM to
> periodically load CRL's, which work for certain enterprises, but not
> with the internet.
I am not too concerned with the fetching
Gervase Markham wrote:
> On 04/01/12 00:59, Brian Smith wrote:
> > 5. libpkix has better AIA/CRL fetching: 5.a. libpkix can fetch
> > revocation information for every cert in a chain. The non-libpkix
> > validation cannot (right?). 5.b. libpkix can (in theory) fetch
> > using
> > LDAP in addition t
Ryan Sleevi wrote:
> IIRC, libpkix is an RFC 3280 and RFC 4158 conforming implementation,
> while non-libpkix is not. That isn't to say the primitives don't exist -
> they do, and libpkix uses them - but that the non-libpkix path doesn't use
> them presently, and some may be non-trivial work to imp
El Miércoles, 4 de enero de 2012, Robert Relyea escribió:
> 2 questions:
>
> 1) what happens if you use the NSS smime verifier rather than the
> openssl one.
I've been trying many combinations of parameters and files in different
outputs,
but I've been unable to give any interesting output from
On 01/04/2012 09:04 AM, Anders Rundgren wrote:
> On 2012-01-03 23:44, Robert Relyea wrote:
>> On 12/30/2011 06:53 AM, Anders Rundgren wrote:
>>> On 2011-12-29 23:08, Brian Smith wrote:
Matej Kurpel wrote:
> On 22. 12. 2011 10:36, Imen Ibn Hotab wrote:
>> I`m developing pkcs#11 module f
On 01/03/2012 04:59 PM, Brian Smith wrote:
> 1. libpkix can handle cross-signed certificates correctly, without getting
> stuck in loops. Non-libpkix validation cannot.
>
> 2. libpkix can accept parameters that control each individual validation,
> whereas non-libpkix validation relies on global
On 2012-01-03 23:44, Robert Relyea wrote:
> On 12/30/2011 06:53 AM, Anders Rundgren wrote:
>> On 2011-12-29 23:08, Brian Smith wrote:
>>> Matej Kurpel wrote:
On 22. 12. 2011 10:36, Imen Ibn Hotab wrote:
> I`m developing pkcs#11 module for Firefox.
I was developing a PKCS#11 module as
On 04/01/12 00:59, Brian Smith wrote:
> 5. libpkix has better AIA/CRL fetching: 5.a. libpkix can fetch
> revocation information for every cert in a chain. The non-libpkix
> validation cannot (right?). 5.b. libpkix can (in theory) fetch using
> LDAP in addition to HTTP. non-libpkix validation cannot
17 matches
Mail list logo
