useful to have this detail output as
an XML file to the file-system, so that audit tools in the
future can automatically pick it up, parse it and determine if
the settings are in compliance with a defined security policy
at a company.
Arshad Noor
StrongAuth, Inc.
Justin wells wrote:
Hi Ian,
will necessitate using the SunPKCS11
bridge), we plan to use jTSS (http://trustedjava.sourceforge.net/)
and eventually, the JSR-321 interface, which should provide native
access to the TPM (lesser integration headaches, hopefully).
Arshad Noor
StrongAuth, Inc.
Martin Schneider wrote:
Hello Ar
hrough the SunPKCS11 bridge).
You didn't specify the platform - if you're using Windows, your TPM
provider probably has a PKCS#11 library already bundled in the TPM
software distribution.
Arshad Noor
StrongAuth, Inc.
Martin Schneider wrote:
Hello everybody,
I'm new to this topic, so it
left up to their own tolerance for risk. If
Mozilla chooses to include only certificates with stronger algorithms
in the NSS database - that's a different policy decision.
Arshad Noor
StrongAuth, Inc.
Kathleen Wilson wrote:
When processing a cert chain, does Mozilla use a specified algori
specification distinct from the #12; otherwise they would have just
recommended using #12 for all stages of the certificate issuance
process.
Arshad Noor
StrongAuth, Inc.
Jean-Marc Desperrier wrote:
It's technically feasible (it does not break the format) to create a
private key only pkcs#12,
-
upport on both tools. Good luck.
Arshad Noor
StrongAuth, Inc.
Nelson Bolyard wrote:
The NSS team participated in the process of defining PKCS#12 precisely
to avoid the security trap of exporting private keys in PKCS#8 format.
Avoiding that trap is precisely why PKCS#12, and not PKCS#8, is
FYI.
Original Message
Subject: New W3C XML Security Specifications
Date: Fri, 27 Feb 2009 14:10:04 -0500
From: Sean Mullan
Reply-To: security-...@xml.apache.org
To: security-...@xml.apache.org
The W3C XML Security Working Group has just released 7 first public working
drafts o
ch might defeat what you're attempting to achieve).
This is about the closest you can get without the use of a TPM
chip. What the TPM gives you is a keystore that is embedded on
the motherboard by the manufacturer and which cannot be moved
from one PC to another.
Hope that helps.
Arshad
currently awaiting FDA approval
before coming to market.
Feel free to get in touch with us, if we can be of any help to you.
Arshad Noor
StrongAuth, Inc.
Denis McCarthy wrote:
Thanks for the suggestion David. Unfortunately we are not connecting
to an active directory domain - our application has
while an OASIS-specific (DRAFT-8) implementation will
be out later this year.
If there are specific symmetric key-management requirements you have
that are not addressed in this specification, now would be a good time
to let me know.
Arshad Noor
StrongAuth, Inc.
D3|\||\|!$ wrote:
Hi All!
I am lo
FYI.
Arshad Noor
StrongAuth, Inc.
- Forwarded Message -
From: "Mary McRae"
To: memb...@lists.oasis-open.org, tc-annou...@lists.oasis-open.org
Sent: Thursday, December 11, 2008 8:29:35 AM (GMT-0800) America/Los_Angeles
Subject: [members] Public Review of SKSML v1.0 - 15
ing system example, it would be analogous
to the order receivers being able to share the encrypted PO dynamically
with a select sub-group out of a group hundreds of thousands of parts
suppliers to the vendor).
Arshad Noor
StrongAuth, Inc.
Anders wrote:
> When any of you guys have made a *
quot;man keytool" provide all
details.
Arshad Noor
StrongAuth, Inc.
fat.fuck wrote:
On 2 Dec, 22:11, Arshad Noor <[EMAIL PROTECTED]> wrote:
Finally, if you're going to be using digital certificates, while
openssl will do the job for you, since you say you know Java, you
can als
keytool from the JDK to create your key, cert and P12 -
all using the same command; you can then just import the P12 to the
Mozilla databases. If you want to use an industrial-strength tool
for your certificates, either use DogTag or EJBCA.
Arshad Noor
StrongAuth, Inc.
fat.fuck wrote:
bebop$ /d
Tbird
placed his digital certificate in your Tbird's certificate-store and
consequently, you had his (the recipient) digital certificate to
encrypt your message with.
Hope that helps.
Arshad Noor
StrongAuth, Inc.
Paul Kinzelman wrote:
I originally posted this issue on moz.sup.tbird and some
whatever duration
you desire with the tools; you just need to specify it explicitly
when creating the certificate.
Out of curiosity, what is the key-size for the key-pair of this
40-year certificate?
Arshad Noor
StrongAuth, Inc.
[EMAIL PROTECTED] wrote:
> Hi,
>
> When you crea
FYI.
Original Message
Subject:[P1619-3] Early Registration Deadline for KMS 2008 Extended to
August 31, 2008
Date: Sat, 16 Aug 2008 18:18:54 -0600
From: Matt Ball <[EMAIL PROTECTED]>
Reply-To: Matt Ball <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
To give eve
://www.strongkey.org.
One of the cryptographic libraries supported by this implementation is
NSS through the SunPKCS11 bridge.
Thank you.
Arshad Noor
StrongAuth, Inc.
- Forwarded Message -
From: "Mary McRae" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED], [EMAIL PROTECTED]
Cc
c Key Client Library). It can use JKS, NSS and
smartcard-based keystores from the same Java-based application.
Arshad Noor
StrongAuth, Inc.
P.S. If you absolutely needed to keep the keys in JKS on the client
side and NSS on the server side, then you can use the source code in
StrongKey to move the
certificates in
its devices for anti-counterfeiting) I have summarized some guidelines
in an article called "Building a Successful PKI" article that was
published in the ISSA Journal some years ago. It is available to ISSA
members in their archives, or if interested readers send me an
licies and
procedures with reasonable diligence, then I would argue that there is
no difference between self-signed or public-CA issued certs.
Arshad Noor
StrongAuth, Inc.
Nelson B Bolyard wrote:
> The big warning paragraph that you quoted (and I snipped) is really trying
> to warn ag
de is available at www.strongkey.org.
We haven't tried it with the NSS store in FIPS mode, so I can't predict
what might happen.
Arshad Noor
StrongAuth, Inc.
Glen Beasley wrote:
> Yevgeniy Gubenko wrote:
>> The main reason not to work with JSS is the following paragraph written in
&
FYI.
- Forwarded Message -
From: "Matt Ball" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Sent: Wednesday, May 28, 2008 1:37:18 PM (GMT-0800) America/Los_Angeles
Subject: [P1619-3] Last reminder: Call for Speakers and Sponsors for the
2008 Key Management Summit Ends This Friday
(Ple
It can be "ordered to decrypt system passwords"??? So, I wonder
what attackers can do with this...
Arshad Noor
StrongAuth, Inc.
"Microsoft revealed its development of a digital forensic analysis toolkit at a
security conference yesterday as part of a wider discussion of how tec
Fascinating!
This may be the first phishing e-mail I've seen that uses
a message related to digital certificates for attacking the
client; I am not a customer of Comerica.
Has anyone else seen this before?
Arshad Noor
StrongAuth, Inc.
Original Message
Subject:S
Fascinating!
This may be the first phishing e-mail I've seen that uses
a message related to digital certificates for attacking the
client; I am not a customer of Comerica.
Has anyone else seen this before?
Arshad Noor
StrongAuth, Inc.
Original Message
Subject:S
Had to remove the link so it would get past the spam-filters;
apologies if you see multiple postings.
Arshad Noor wrote:
> Fascinating!
>
> This may be the first phishing e-mail I've seen that uses
> a message related to digital certificates for attacking the
> client; I
You could use the recently open-sourced Dogtag from Red Hat to
setup a CA and use their web interface to get client (and server)
certificates.
http://pki-svn.fedora.redhat.com/wiki/PKI_Main_Page
Arshad Noor
StrongAuth, Inc.
brieweb wrote:
> How do I create a private key for Firefox, or mozi
s/etc., but there are tokens and
drivers for other platforms too.
The certificates itself can be stored anywhere, since they do
not contain any secrets - local files, LDAP, etc. - whatever
works for you.
Arshad Noor
StrongAuth, Inc.
D3|\||\|!$ wrote:
> Hi all!!!
>
> I'm develop
they can
achieve the same effect with open-source libraries and one
signing certificate for less than $100 per year.
Arshad Noor
StrongAuth, Inc.
Nelson Bolyard wrote:
> Maybe this is news only to me. :-)
>
> Today I received an email from a nationally known merchant with whom I
> h
translation. However, you will need to configure each vendor's
library correctly in the Bridge configuration file.
Arshad Noor
StrongAuth, Inc.
- Original Message -
From: "David Stutzman" <[EMAIL PROTECTED]>
To: dev-tech-crypto@lists.mozilla.org
Sent: Friday, October 5,
I don't have the answer to this, Alberto. Forwarding to the
list for you. You should subscribe to this list so you can
post to it directly. Happy to help this time.
Arshad Noor
StrongAuth, Inc.
Original Message
Subject: RE: About Firefox security.
Date: Fri, 21 Sep 20
Alberto found his solution independently and requested that
I post this for him.
Arshad Noor
StrongAuth, Inc.
Original Message
Subject: RE: About Firefox security.
Date: Fri, 21 Sep 2007 10:30:19 -0500
From: Alberto Hernandez <[EMAIL PROTECTED]>
To: 'Arshad No
lls native
libraries from Mozilla/CAPI to create digital signatures from keys stored
in the Firefox/IE keystores?
Or is it something else? The question is - how are the PKCS #7 signatures
being created and what role does the browser have in creating them?
Arshad Noor
StrongAuth, Inc.
- Origin
this will ensure
that FCC and the JCE environment stay in lock-step.
Arshad Noor
StrongAuth, Inc.
- Original Message -
From: "Jean-Marc Desperrier" <[EMAIL PROTECTED]>
To: dev-tech-crypto@lists.mozilla.org
Sent: Wednesday, September 12, 2007 6:22:02 AM (GMT-0800) Ameri
e for Java developers to write applications
that do not stray from the JCE API *and* will still work
with the FCC implementation seamlessly without the need for
a PKCS11/CAPI Bridge.
Arshad Noor
StrongAuth, Inc.
Steve Parkinson wrote:
> Robert Relyea wrote:
>
>>Arshad Noor wrote:
>
into becoming
just another pluggable JCE Provider and hide the access
to the consolidated Fedora crypto keystore/library
behind that interface. You will then be doing two
communities a great service.
I'm looking forward to seeing this work come to fruition;
you can count on my support.
A
Thanks for the deeper explanation, Bob.
I continue to get a little more educated each day - I am grateful to
all for that. :-)
Arshad Noor
StrongAuth, Inc.
- Original Message -
From: "Robert Relyea" <[EMAIL PROTECTED]>
To: "Arshad Noor" <[EMAIL PROTECTED
See below, Alex.
Arshad Noor
StrongAuth, Inc.
- Original Message -
From: "Alexander Klink" <[EMAIL PROTECTED]>
The typical user does not have a client authentication certificate,
so after installing one for him, the browser will send that out
to anyone who is asking.
? And what happens to the users
who do not have have client-certs issued by this CA when they
attempt to connect to the site?
Arshad Noor
StrongAuth, Inc.
- Original Message -
From: "Alexander Klink" <[EMAIL PROTECTED]>
Tracking visitors in an unnoticed way over several doma
OASIS EKMI Technical Committee):
http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=ekmi
Thanks.
Arshad Noor
StrongAuth, Inc.
---
Registration opens for free IDtrust workshop in Barcelona
The OASIS IDtrust Member
Two questions:
1) What is the difference between the commercial version of the software
vs. OpenSC version?
2) Why can they both not access the same objects (private keys and certs)
if the objects are stored in industry-standard formats?
Arshad Noor
StrongAuth, Inc.
- Original
wouldn't have worked with a token that
would not have given up the private key).
Glad to know that a new build of certutil will address this problem.
Thanks.
Arshad Noor
Nelson B wrote:
> Arshad Noor wrote:
>
>>I'm trying to use certutil to renew a certificate with an existing
&g
I'm trying to use certutil to renew a certificate with an existing
key-pair. However, it appears that the -R option always generates
a new key-pair; how does one generate a CSR using existing keys with
certutil? Or should I be using some other tool? TIA.
Arshad
FYI.
--- Begin Message ---
Please forward to all appropriate contacts and lists. They're all free.
Thanks.
Arshad Noor
StrongAuth, Inc.
Register now for the OASIS Series of SECURITY Standards Webinars!
It's everything you always wanted to know about security standards--from the
l (Google for both of these).
Arshad Noor
StrongAuth, Inc.
- Original Message -
From: Atha <[EMAIL PROTECTED]>
Date: Wednesday, June 6, 2007 1:00 am
Subject: smart card - pki - mozilla/firefox
> Hello to all
> We curently use an open+custom PKI that supports smartcards with
&g
eate a P12
file for RSA and ECDSA key-pairs that is portable to any application
that recognizes P12 files.
Arshad Noor
StrongAuth, Inc.
kcsasquatch wrote:
> Thanks Arshad, your comment led me to a solution that worked for me.
>
> http://oy-oy.eu/huh/firefox-extension-code-signed-with-spc-p
See if the MS-certutil version gives you an option to convert your
private-key and certificate to a PKCS#12 file (PFX). If it does,
then do so and then you can import the P12 file into the Mozilla
keystore with Mozilla-certutil.
Arshad Noor
StrongAuth, Inc.
kcsasquatch wrote:
Hi,
I have a MS
GUI makes it just a little easier for some people.
More information and downloads of the binary and source can be found
at http://www.strongauth.com/csrtool. Documentation is included in
the downloads, and a forum for discussion of the tool is available at
that site.
Enjoy!
Arshad Noor
Strong
Out of curiousity, what is that file of encrypted passwords called,
Nelson? I thought the passwords were stored in key3.db too.
Arshad Noor
StrongAuth, Inc.
Nelson B wrote:
FF users who are trying to copy those files from one "profile" to another
should copy the cert and key DBs an
FYI.
Arshad Noor
StrongAuth, Inc.
Original Message
Subject: [ekmi] OASIS Call for Participation: EKMI TC
Date: Mon, 11 Dec 2006 21:09:13 -0500
From: Mary McRae <[EMAIL PROTECTED]>
Reply-To: [EMAIL PROTECTED]
Organization: OASIS
To: [EMAIL PROTECTED], [EMAIL PROTECT
. I'd be happy to answer questions on it,
but official comments should go to the OASIS site. Thanks.
Arshad Noor
StrongAuth, Inc.
Original Message
Subject: Proposed charter for OASIS EKMI TC
Date: Wed, 08 Nov 2006 18:24:53 -0800
From: James Bryce Clark <[EMAIL PROTEC
rtificates: validity, trust, revocation status, key-usage, etc.
Arshad Noor
StrongAuth, Inc.
Christian Bongiorno wrote:
I attempt to access a web page that requires a client certificate. I get
prompted for which cert to use, I select it, and then I get a blank
page. I look at the page source, and not
ake sure you've checked your options to show hidden files and system
folders.
You're welcome.
Arshad Noor
StrongAuth, Inc.
Ronald Mckenzie wrote:
good start. where Is the locations for the default Mozilla certs on
windows. I searched for cert7 and found nothing. Is it written into the
e
if [ $# -ne 2 ]; then
echo "Usage: $0 to remove>"
exit 1
fi
exec 3< $2
while read -u3
do
certutil -D -d $1 -n "$REPLY"
print -r "Deleted $REPLY"
done
certutil -L -d $1
Hope this helps.
Arshad Noor
StrongAuth, Inc.
[EMAIL PROT
attempt to get the certificate
out into an industry standard encoding for import, rather than attempt
to read the objects and their members directly.
Arshad Noor
StrongAuth, Inc.
Primo It wrote:
Is Primo It escreveu:
shinigami escreveu:
Hi,
E want install a cert in a db. But my cert when i re
desired. Of
course, if the JDK does not provide what you need then you
still need to go to the non-JDK API - but we've managed to
stay within the JDK API and work with 5 different crypto
providers through the Bridge, so far.
Arshad Noor
StrongAuth, Inc.
Primo It wrote:
It doesn't work.
I ca
posed in Firefox 2.0:
https://bugzilla.mozilla.org/show_bug.cgi?id=337733
This might provide a third option if you can wait for 2.0
Arshad Noor
StrongAuth, Inc.
Erik Siegemund wrote:
Thanks very much!
But, to clearify - I'm not sure if there are some missunderstandings:
The client certif
t for the applet part, the complete source code to this
design is available, if you wish, at http://www.strongkey.org.
Hope that helps.
Arshad Noor
StrongAuth, Inc.
Erik Siegemund wrote:
Hi,
I'm not sure if this is the correct site. But possible
it is and somone can help ...
I look for an
That is correct. A P12 file, by definition includes the private
key; and since your TPM does not allow the export of private keys,
this option should be unavailable for certificates which have
corresponding private keys.
All other formats in your list do not include private keys.
Arshad Noor
it into Thunderbird.
Once Thunderbird has your certificate, *and* it sees the TCP
module, it will see the certificate as one for which you have
the Private Key, thus allowing you to sign and/or receive
encrypted e-mails. Good luck.
Arshad Noor
StrongAuth, Inc.
Dave Pinn wrote:
But if you did
th it, you've likely deleted
the Private Key too.
BTW, what model of the HP comes with this chip? Thanks.
Arshad Noor
StrongAuth, Inc.
Dave Pinn wrote:
I am very excited to report that I managed to find a solution, although
why it worked remains a mystery.
I deleted my certificate from Pr
mport it into NSS.
Once you have the Base64-encoded certificate in a file,
you can paste it into an e-mail in this forum if you
need additional help on the certificate.
Arshad Noor
StrongAuth, Inc.
Dave Pinn wrote:
Is there a Mozilla utility with which I can attempt to import a
certific
xpect to go one step further by using the new
SunCAPI bridge and using Windows-specific drivers of CSP's
for which no PKCS11/JCE interface exists.
Arshad Noor
StrongAuth, Inc.
P.S. If you believe that JSS is evolving to map to the JCE
interfaces completely, and if there are specific advant
Arshad Noor
StrongAuth, Inc.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
/jss/javadoc/org/mozilla/jss/pkix/cms/package-summary.html
http://www.bouncycastle.org/docs/docs1.5/index.html
Arshad Noor
StrongAuth, Inc.
Nelson B wrote:
Ian Coates wrote:
I used crypto.signtext() method on FireFox 1.5 to sign a Text, now I want to
verify that signature on a Java server.
I
ating structure
in established markets; they don't necessarily lead
markets.
Any thoughts from the people at Mozilla/Firefox?
Arshad Noor
StrongAuth, Inc.
So, let me throw out a suggestion to the committers of Mozilla/Firefox:
given that Apache has a C++ li
Mozilla/Firefox will set new standards in applications and
security by supporting such a capability natively. Comments?
Arshad Noor
StrongAuth, Inc.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
sing XMLSignature is that you can then parse
out the signed text with other readily-available libraries and
save them into databases (including XML databases) easily.
Arshad Noor
StrongAuth, Inc.
Pablo Andrade wrote:
I would like to ask you, if is there a solution out there so you can verifi
commercial
product, I'm surprised that it generated certificates with duplicate
serial numbers (this is like having multiple records in a relational DB
table with the same primary key).
Thanks for the clarification.
Arshad Noor
StrongAuth, Inc.
Michael Pratt wrote:
It was an oversight. Ou
/technical requirements leading to such a decision. Thanks.
Arshad Noor
StrongAuth, Inc.
Michael Pratt wrote:
I'm cross posting this to crypto and ldap in the hopes nobody else will
waste months of effort on a simple issue :)
Those of you that frequent these boards have probably seen severa
ence containing not more than four
dwelling units is guilty of a felony."
Arshad Noor
StrongAuth, Inc.
David E. Ross wrote:
There are some problems with this concept.
A jurat executed outside of the U.S. by a CA (certificate authority)
operating entirely outside of the U.S. might not b
3) With a slightly modified architecture to Mozilla, it could even
lead to some interesting revenue opportunities for MF, allowing
it to fund future development and some vexing security problems
on the Internet.
Arshad Noor
StrongAuth, Inc.
Frank Hecker wrote:
I didn't envision this a
rough an administrative interface/console) and then setting
the appropriate bits for key-usages for specific certificate types.
Arshad Noor
StrongAuth, Inc.
Nelson B wrote:
Vivek Kumar wrote:
Could anyone please tell me how to change the extension of the server
cert to include "Key en
74 matches
Mail list logo
