On Mon, Apr 4, 2016 at 4:09 PM, David Woodhouse wrote:
> I'm perfectly happy to entertain the notion of adding new functions for
> PK11_FindCertsFromURI() (et al.), but I was looking for *real*
> information about whether it was actually necessary. Which you don't
> seem to be able to provide with
On Mon, 2016-04-04 at 16:04 -0700, Ryan Sleevi wrote:
>
> I've already tried to explain this several times to you. I don't feel
> there's anything more useful to contribute.
Very well. From my point of view it seems that you have offered straw
men, and talked about what would happen if NSS starte
On Mon, Apr 4, 2016 at 3:53 PM, David Woodhouse wrote:
> Of course it's an API change. But as noted, it's an API *addition*, in
> that it makes something work that didn't before.
>
> The criterion for such additions should be "if it isn't a *bad* thing
> for that to start working".
>
> What's miss
On Mon, 2016-04-04 at 15:49 -0700, Ryan Sleevi wrote:
> I appreciate your argument "but user provided!", but you seem to be
> missing the core point - you're changing the syntax of an API's
> arguments, in a way that breaks the previously-held pre and post
> conditions. That's an API change.
>
> I
On Mon, Apr 4, 2016 at 3:45 PM, David Woodhouse wrote:
> That won't change. Unless you explicitly use a new function that
> provides a URI instead of a nickname, of course.
>
> You will *only* get a URI from direct user input, in a situation where
> a user could already feed you any kind of nonsen
On Mon, 2016-04-04 at 15:19 -0700, Ryan Sleevi wrote:
> On Mon, Apr 4, 2016 at 12:39 PM, David Woodhouse wrote:
> >
> >
> > We usually reserve the term "breaks the API" for when something *used*
> > to work, and now doesn't. Not when a previously-failing call now
> > actually does something usef
On Mon, Apr 4, 2016 at 12:39 PM, David Woodhouse wrote:
>
> We usually reserve the term "breaks the API" for when something *used*
> to work, and now doesn't. Not when a previously-failing call now
> actually does something useful.
No, sorry David, that's not how we've done stuff in NSS.
When it
On Mon, 2016-04-04 at 12:17 -0700, Ryan Sleevi wrote:
>
> Your justification seems to be that because you can't imagine my
> application doing it, I shouldn't be concerned. But just re-read the
> above and you can see how it affects every application - there's now a
> new structure and form, and t
On Mon, 2016-04-04 at 12:21 -0700, Ryan Sleevi wrote:
> On Mon, Apr 4, 2016 at 11:32 AM, David Woodhouse wrote:
> >
> > I don't see it. I still don't see *any* way for you to get a PKCS#11
> > URI anywhere in the memory space of your application, unless you
> > specifically ask for one with a new
On Mon, Apr 4, 2016 at 11:32 AM, David Woodhouse wrote:
> I don't see it. I still don't see *any* way for you to get a PKCS#11
> URI anywhere in the memory space of your application, unless you
> specifically ask for one with a new API — or unless you take untrusted
> input from the user or an edi
On Mon, Apr 4, 2016 at 11:32 AM, David Woodhouse wrote:
> Do you even have a way for a nickname to be entered in text form, such
> that you could "maliciously" be given a PKCS#11 URI instead of the
> normal "token:nickname" form? Perhaps a user could edit a config file?
> Or is it *all* selected v
On Mon, 2016-04-04 at 08:23 -0700, Ryan Sleevi wrote:
> This is, of course, demonstrably false. One can no longer filter the inputs
> to this API if your change is accepted, because the format will have
> changed. For example, colon no longer becomes the separator between the
> token and the nickna
On Monday, April 4, 2016, David Woodhouse wrote:
>
> I didn't call you a liar. I simply said that I can't see how the
> statement you made could be anything but false. There are plenty of
> reasons that could be the case — including my own ignorance — which
> don't involve you telling a deliberat
On Mon, 2016-04-04 at 07:48 -0700, Ryan Sleevi wrote:
>
> On Apr 4, 2016 7:15 AM, "David Woodhouse" wrote:
> >
> > Ryan?
> >
> > Unless you are able to provide an explanation of how this would "break
> > Chrome's use of the API", I shall continue to assume that your
> > statement was false, and d
On Apr 4, 2016 7:15 AM, "David Woodhouse" wrote:
>
> Ryan?
>
> Unless you are able to provide an explanation of how this would "break
> Chrome's use of the API", I shall continue to assume that your
> statement was false, and design accordingly.
>
> I certainly can't see how it could have any basi
On Thu, 2016-03-17 at 15:18 +, David Woodhouse wrote:
>
> > I am still strongly opposed to introducing this behaviour to the existing
> > functions. The nickname functions already have significant magic attached
> > to them, both in parsing from NSS APIs and in providing to NSS APIs
> > (filte
Hi,
I think your missing on -.
command should be
certutil -A -d . -n foo -i TooatCA.pem --extNC -t "C,C,C"
Thanks
On 04/04/2016 05:20 AM, Ángel González wrote:
Hello all
I have an unrestricted CA I would like to trust for *some* domains. The
NSS seems to support this. It should be possible
17 matches
Mail list logo
