I don't know how it maps to NSS, but at the PKCS#11 layer you can generate a
key pair, export the public key (even in FIPS mode, because it's public), use
the public key to encrypt your secret key, then unwrap that with the private
key. Then you can use that secret key to unwrap private keys.
(A
On 05/05/15 16:55, David Woodhouse wrote:
On Mon, May 4, 2015 1:25 pm, David Woodhouse wrote:
>> Hm... so if I have two certificates; one with:
>> CKA_SUBJECT: "My CA"
>> CKA_LABEL: "My CA (2010 instance)"
>> and the other:
>> CKA_SUBJECT: "My CA"
>> CKA_LABEL: "My CA
On 04/05/15 21:53, David Woodhouse wrote:
On Mon, May 4, 2015 1:25 pm, David Woodhouse wrote:
Surely that's not unique? Using the above example, surely the first
certificate issued by the 2010 instance of 'My CA', and the first
certificate issued by the 2015 instance, are both going to hav
On 30/04/15 17:56, David Woodhouse wrote:
Has anyone looked at implementing RFC7512 support, allowing an object
to be specified by a PKCS#11 URI?
I don't suppose you know why RFC 7512 uses CKA_ID but not CKA_SUBJECT,
when PKCS#11 says " The*CKA_ID*attribute is intended as a means of
distinguish
On 30/05/14 19:55, Jonathan Schulze-Hewett wrote:
Another bit of oddness. I can put the PKCS#11 device into "read only" mode
where it only supports CKS_RO_PUBLIC_SESSION and CKS_RO_USER_FUNCTIONS
states and asserts the CKF_WRITE_PROTECTED flag. In this state Firefox
attempts to call C_CreateObjec
On 20/05/14 02:18, Wan-Teh Chang wrote:
On Fri, May 16, 2014 at 2:19 AM, Vicente Olivert Riera
wrote:
Sorry, I'm not english native. What's the meaning of "I'd like *wtc* to way
in"?
"wtc" is my user id (from the initials of my name) :-)
And "way in" is a typo for "weigh in".
http://www.me
On 12/04/14 21:33, Florian Weimer wrote:
* Julien Pierre:
Strange that "PKCS#11 support" is listed as a "con" for NSS .
I found the PKCS#11 approach rather difficult to deal with if you're
adding cryptography to some library whose client code has no idea that
there is cryptography involved (a
On 08/04/14 13:11, Jean-Marc Desperrier wrote:
Ryan Sleevi a écrit :
reliance on PKCS#11 means that there are non-trivial overheads when
doing something as "simple" as hashing with SHA-1. For something that is
such a "simple" transformation, multiple locks must be acquired and the
entire NSS int
On 09/03/14 22:59, Raphael Wegmann wrote:
What about creating a distributed hash-table, where we could count
collectively, which public-key has been used by a particular server
how often?
When I visit amazon.com and my browser tells me, that I am the only
one who got that public-key I'm having, I
On 31/01/14 18:28, Ryan Sleevi wrote:
On Fri, January 31, 2014 9:18 am, Alan Braggins wrote:
On 31/01/14 10:24, Julien Pierre wrote:
On 1/27/2014 10:28, Kathleen Wilson wrote:
Draft Design Doc posted by Ryan Sleevi regarding Chrome migrating from
NSS to OpenSSL:
https://docs.google.com
On 31/01/14 10:24, Julien Pierre wrote:
On 1/27/2014 10:28, Kathleen Wilson wrote:
Draft Design Doc posted by Ryan Sleevi regarding Chrome migrating from
NSS to OpenSSL:
https://docs.google.com/document/d/1ML11ZyyMpnAr6clIAwWrXD53pQgNR-DppMYwt9XvE6s/edit?pli=1
Strange that "PKCS#11 support"
On 27/01/14 17:26, ripber...@aol.com wrote:
2) NIST is a US government standards board that drives a lot of compliance
regulation. There are companies what will want to be able show that they
are NIST compliant. The standard at this point does NOT allow you to
use Camellia. S
On 06/12/13 13:07, firef...@gmail.com wrote:
Hi,
I have a couple of questions concerning certificate handling in Firefox and
PKCS#11.
When Firefox receives a X.509 cert during HTTPS establishment, the certificate
(chain) is validated by NSS, right?! Is this done via PKCS#11 or are Firefox
an
On 22/08/13 11:50, Alan Braggins wrote:
On 21/08/13 18:23, Zack Weinberg wrote:
I share concern
about new side channel attacks due to GMAC, though.
You aren't alone.
https://bugzilla.mozilla.org/show_bug.cgi?id=868948
I asked a friend who works for ARM about the chances of
constant
On 21/08/13 18:23, Zack Weinberg wrote:
On 2013-08-19 2:06 PM, Kurt Roeckx wrote:
I understand that GCM is faster, but the implementations might have side
channel attacks. So I'm not sure if GCM or CBC is better, but
we should probably prefer GCM or CBC.
GCM is (AIUI) preferred because it's
On 19/08/13 19:06, Kurt Roeckx wrote:
I understand that GCM is faster, but the implementations might have side
channel attacks. So I'm not sure if GCM or CBC is better, but
we should probably prefer GCM or CBC.
GCM (while recognizing that it isn't widely supported yet).
(At least unless
http:
16 matches
Mail list logo
